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THE ROLE OF FCRA IN EMPLOYEE 
BACKGROUND CHECKS AND THE 
COLLECTION OF MEDICAL INFORMATION 


Tuesday, June 17, 2003 

U.S. House of Representatives, 
Subcommittee on Financial Institutions and 

Consumer Credit, 
Committee on Financial Services, 

Washington, D.C. 

The subcommittee met, pursuant to call, at 10:09 a.m., in Room 
2128, Rayburn House Office Building, Hon. Spencer Bachus [chair- 
man of the subcommittee] presiding. 

Present: Representatives Bachus, LaTourette, Kelly, Ryun, 
Gillmor, Biggert, Hart, Tiberi, Hensarling, Barrett, Oxley (ex offi- 
cio), Sanders, Maloney, Watt, Sherman, Moore, Velaquez, Hooley, 
Lucas of Kentucky, Crowley, McCarthy, and Emanuel. Representa- 
tive Pete Sessions was also in attendance. 

Chairman Bachus. [Presiding.] Good morning. The Sub- 
committee on Financial Institutions will come to order. 

Our hearing today is the fifth in a series of hearings the sub- 
committee is holding on FCRA. We previously held hearings cov- 
ering the importance of the national uniform credit system to con- 
sumers and to the economy, and more specifically how the Fair 
Credit Reporting Act helps consumers obtain more affordable mort- 
gages and credit in a timely and efficient manner. 

Today, we will hear how FCRA regulates employee background 
checks and the collection and use of health information or medical 
information. This hearing consists of two panels. The first panel 
will focus on the application of FCRA to employee screening and 
other background checks. Witnesses will include various business 
groups, human resource managers and private investigators. 

The second panel will examine how medical information is col- 
lected and used for various financial products, including a discus- 
sion on the prohibition of the use of health or medical information 
in the credit-granting process. Panelists will include representa- 
tives of life and health insurance companies, the banking industry, 
and independent experts. 

While we usually think of FCRA in the context of credit informa- 
tion, it also applies to background checks for employees. For exam- 
ple, information collected for an employer by a third party about 
an employee’s criminal record, driving record, educational record or 
prior employment history in some instances falls within FCRA’s 
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coverage. The 1996 amendments to FCRA established consumer 
protections for employee background screening. 

Some of these include consumer consent before a prospective em- 
ployer may obtain a consumer report, disclosure of the report to the 
consumer once it is completed, and notice to the consumer of his 
rights before taking adverse action based on the report. Many em- 
ployers conduct background checks of their employees as a safety 
precaution. Moreover, according to a 2002 Harris poll, a majority 
of Americans support their employers’s conducting detailed back- 
ground checks. 

Congress has mandated background checks for many workers in 
the financial services industries, as well as for nuclear, airport and 
childcare businesses. The number of worker background checks has 
dramatically increased since 9-11 due to heightened security con- 
cerns. As a result, mandatory background checks are now required 
for workers at ports and for those who transport hazardous chemi- 
cals. 

Because background checks are becoming commonplace, one 
issue we need to review today is the FTC’s staff Vail opinion letter. 
It makes it much more difficult for employers to conduct back- 
ground checks or investigations of their employees. Under the Vail 
letter, if an employer believes that an employee is engaged in work- 
place misconduct such as committing sexual harassment, racial dis- 
crimination or embezzling funds or other criminal activity, the em- 
ployer cannot hire an independent third party investigator without 
getting the employee suspected wrongdoer’s consent and telling 
him about the investigation and how the investigation will be con- 
ducted. That makes absolutely no sense. If you are trying to catch 
a criminal, why warn him in advance? 

Strangely, employers can investigate alleged misconduct without 
following any of the Vail letter requirements if they do so inter- 
nally. The Vail letter makes it unworkable to hire an outside unbi- 
ased party to do an impartial investigation. Even the FTC admits 
the law should be fixed. 

Our second panel will discuss medical information, health infor- 
mation, and how the FCRA and other state and federal laws gov- 
ern its use. 

The FCRA prohibits consumer reporting agencies from fur- 
nishing reports containing medical information without the con- 
sumer’s consent. Congress passed another law, the Health Insur- 
ance Portability and Accountability Act of 1996 which limits the 
sharing of health information by health care plans and providers. 
In addition, the States have various laws governing insurance com- 
panies in the use and sharing of health information by those com- 
panies. 

The second panel will help us understand whether there are gaps 
in the convergence of these laws and whether financial providers 
are using such information, and if they are, whether they should 
be prevented from using an individual’s medical or health informa- 
tion in any way or in an inappropriate way. 

I want to express my gratitude to Chairman Oxley for his leader- 
ship in these FCRA hearings. I want to commend Ranking Member 
Frank and Mr. Sanders for working with the staff, with me, and 
with Chairman Oxley on FCRA reauthorization. I note that for the 
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second week in a row we have accommodated all of the minority 
witness requests. 

The Chair now recognizes the ranking member of the sub- 
committee, Mr. Sanders, for his opening statement. 

[The prepared statement of Hon. Spencer Bachus can be found 
on page 52 in the appendix.] 

Mr. Sanders. Thank you very much, Mr. Chairman, for holding 
this important hearing. I very much appreciate all of our witnesses 
being with us today. 

This hearing will focus on the role of the Fair Credit Reporting 
Act in employee background checks and the collection of medical 
information. These are important matters that must be carefully 
scrutinized by this subcommittee. Before we delve into these issues, 
Mr. Chairman, I would like to briefly highlight the testimony of 
two of our witnesses from last week’s hearing. 

Mr. Chairman, as I recall, you raised a number of concerns about 
my support for consumers to receive a free copy of their credit re- 
ports at least once a year from all three of the credit bureaus. It 
should come as no surprise that all of the major consumer groups 
in this country support that view, including U.S. PIRG, the Con- 
sumer Federation of America, Consumers Union, and the National 
Consumer Law Center. 

Yet what the chairman and some of the members of the sub- 
committee might not have heard clearly is that according to the 
testimony we received last week, that view is also shared by the 
America’s Community Bankers and the Independent Community 
Bankers of America. I think that it is important that they are com- 
ing on board in order to make sure that all Americans receive a 
free credit report. 

Let me turn for a moment to today’s hearing. First, the issue of 
employee background checks, Mr. Chairman, under the Fair Credit 
Reporting Act. Companies can turn down job applicants because of 
the credit history contained in their credit reports, including large 
student loan debt, high credit card payments, a big auto loan, or 
a heavy mortgage bill. Even worse, job applicants who have errors 
in their credit reports as a result of identity theft are being denied 
employment. In most instances, by the time these errors are taken 
off the job applicant’s credit report, the job they are applying for 
has already been filled by another person. 

Mr. Chairman, this raises troubling questions for the sub- 
committee. One, should a young person who has accumulated 
$30,000 or more in student loan debt be denied a job in favor of 
someone who was fortunate enough to have wealthy parents to pay 
for their college education? 

According to a May 26, 2003 article in The State newspaper in 
Columbia, South Carolina, “Ayana Woodson, a recent business ad- 
ministration and finance graduate from Howard University in 
Washington, DC learned this the hard way. ’These are jobs I have 
not gotten because of my credit,’ said Woodson, now carrying a 
$25,000 college debt, ’I just assumed after I graduated I would 
have this high-paying job and would be able to pay it off,’ she said. 
It is like a double-edged sword. I take out this loan so I can get 
a job, but it may be the very reason to keep me from getting a job.” 
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Mr. Chairman, according to the U.S. Department of Education, 
the average student loan debt has nearly doubled over the past 8 
years to close to $17,000. I think we can all agree that people who 
had to go into debt to get through college should not be forced to 
lose job opportunities because of that debt. 

Secondly, should employers be allowed to deny employment op- 
portunities to job applicants due to errors contained in their credit 
reports? I do not think so, but according to a March 3, 2003 article 
in Investment Dealers Digest, “If you want to work for Goldman 
Sachs, your name had better be squeaky clean. All it takes is one 
blemish on your credit history to prohibit employment there. At 
least that is what one secretarial job candidate recently found out 
the hard way, and she is not alone. Like many young people at age 
24, Kate ran up significant debt on a Citibank credit card. She was 
unable to pay it off quickly, and the account was ultimately sent 
to collection. 

“Over the next 9 years, she gradually paid down the debt, satis- 
fying it completely by 2002. The problem was the collection agency 
failed to report this to the credit agencies, and the account showed 
up on Goldman’s credit check-a-mistake for which the collection 
agency took full responsibility and promised to put it into writing 
in 30 to 60 days, but would gladly relay orally to Goldman. But ac- 
cording to Kate, Goldman’s background checker told her the firm 
would not accept an oral explanation and needed it in writing.” 

To make a long story short, this young lady has a hard time with 
jobs. Mr. Chairman, I do not believe job applicants should be 
turned down from their jobs because of errors contained in their 
credit report. 

Finally, we will be looking today at the Fair Credit Reporting Act 
in the collection of medical information. I have two concerns on this 
issue. First, we need to make it clear that banks and insurance 
companies cannot use medical information to deny consumers cred- 
it or insurance. Banks should not be allowed to use the fact that 
you have cancer to increase the interest rate on your credit card. 
Insurance companies should not be allowed to use the fact that you 
have diabetes to raise your premiums on your renter’s insurance. 

Mr. Chairman, thank you very much for calling this important 
hearing. I look forward to hearing from the witnesses. 

Chairman Bachus. Thank you, Mr. Sanders. 

Chairman Oxley? 

Mr. Oxley. Thank you, Mr. Chairman. Let me thank you for 
your leadership on this important issue of FCRA as we continue 
the series of hearings. You have done yeoman work and we appre- 
ciate all that you have done. 

I am pleased to announce that last Thursday another federal reg- 
ulator came out in support of reauthorization of the national uni- 
form standards for FCRA. Don Powell, the chairman of the FDIC, 
who testified before this committee, said he believes it is necessary 
to make permanent the preemptions in the FCRA in order to en- 
sure no negative economic impact. Mr. Powell joins the Treasury 
Secretary, the chairman of the Fed, and the Conference of State 
Bank Supervisors in support of reauthorizing uniform FCRA stand- 
ards. 
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I also just received a report by the independent Congressional 
Research Service analyzing a critical consumer benefit of the 
FCRA, and that is increased labor mobility. CRS found that mobil- 
ity is an important barometer to judge the importance of having a 
national credit reporting system. No surprise, the U.S. is one of the 
most mobile societies, with 14.5 percent of the population moving 
in any given year, and lower-income individuals more likely to 
move than higher-income groups. It is our national uniform credit 
system that makes this mobility possible and gives us a further 
competitive edge over the rest of the world. 

Throughout modern history, national economies have risen and 
fallen based in large part on the flexibility and mobility of labor 
and management. American consumers and workers enjoy unprece- 
dented mobility in part because of our uniform national credit 
standards. 

Today’s hearing looks at two particular aspects of uniform stand- 
ards under FCRA. The first panel will address the use of FCRA in 
employee background screening. Even before 9-11, Americans had 
become increasingly concerned about ensuring their safety on the 
job from individual predators with criminal records. 

Homicide was the second leading cause of occupational fatalities 
in 2001, and the recent wave of corporate scandals has highlighted 
the need to keep out bad actors at all levels of the American work- 
place. Congress has been calling for expanded background checks 
for a number of sensitive jobs and courts have been imposing more 
liability on businesses that do not perform adequate background 
checks. 

Unfortunately, an interpretation of FCRA by the Federal Trade 
Commission, known as the Vail letter, undermines the ability of 
businesses to protect their employees and consumers. The Vail let- 
ter prohibits employers from using outside third parties to inves- 
tigate employee misconduct unless they first notify the wrongdoer 
of the precise investigation, get his consent, and ultimately give 
him a copy of the investigative report. 

How do you investigate a CEO, for example, who is embezzling 
funds if you have to first get his permission and give him time to 
cover up his actions? How do you get victims to cooperate with a 
sexual or racial harassment inquiry if they know their identities 
will not be protected? You don’t, and that is why the FTC’s inter- 
pretation is at best problematic. Ironically, a company can perform 
an employee investigation without these requirements, but only by 
doing it internally without any of the protections of an outside, un- 
biased, and professional third party. The Vail letter is simply im- 
practical. 

Subcommittee Chairman Bachus and I wrote to the FTC last 
term asking the Commission to change its views, and we support 
efforts by the members here today to correct this problem. 

On our second panel, we will receive testimony on the use of 
medical information in the credit-granting process and the inter- 
play between various federal and state health privacy laws. I share 
the concerns of many of my colleagues that medical information 
may require special protections to prevent its improper use or 
theft, and I look forward to our witnesses’s views on the appro- 
priate balance of national consumer standards on this issue. Once 
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again, I would like to thank the chairman for his leadership and 
the continued bipartisan cooperation of our ranking subcommittee 
and full committee members, Mr. Sanders and Mr. Frank. 

I yield back. 

[The prepared statement of Hon. Michael G. Oxley can be found 
on page 55 in the appendix.] 

Chairman Bachus. Thank you. 

The gentleman from North Carolina? 

Mr. Watt. Thank you, Mr. Chairman. 

I had intended not to say anything, but my chairman provoked 
me to say something to balance at least one thing, not necessarily 
to contradict what he is saying, but to thank you for having this 
hearing today and the series of hearings, because of the difficulty 
of these issues. 

While the chairman is right to have the governing agency bring 
these employment background checks and medical information 
under its jurisdiction, it may be presenting some problems. The 
other side of that is if they are not under somebody’s supervision, 
then they have the capacity to collect erroneous misinformation on 
people, and not be subject to any kind of oversight. 

So we have got to figure out a way to allow them to provide the 
valuable service that they provide to employers, but do it in a way 
that makes sure they are regulated and that they answer to some- 
body and that they are accountable for collecting information that 
is not correct and viable. That is the difficulty. I am not arguing 
with the concern that the chairman of the full committee and the 
chairman of the subcommittee raised in the letter you wrote, but 
if they are not regulated under the Fair Credit Reporting Act, then 
who is going to regulate them, I guess, is the question; and how 
do they get regulated and how do we keep employees or prospective 
employees from having their employment possibilities adversely af- 
fected by information that may not even be correct? 

That is the difficult balance this committee has to deal with. It 
is for that reason that we have witnesses here to enlighten us 
about how we walk that balance and get to a result that is fair, 
both to employers and the agencies that report information to them 
about people’s criminal records and medical records and sexual 
harassment in prior venues, or what have you, yet make sure that 
that information is correct and defensible; and if it is not, that 
somebody is held accountable for it. 

So I thank the chairman. I did not take the time to argue with 
him about this, but more to point out the difficulty of the balance 
and the requirement that this committee has as we go forward. 

With that, I will yield back, unless the chairman wants me to 
give him the last word. I am always willing to give my chairman 
the last word. 

[LAUGHTER] 

I yield back. 

Chairman Bachus. Thank you. 

I have a unanimous consent request, and that is that without ob- 
jection the gentleman from Texas, Mr. Sessions, may be recognized 
for the purpose of making an opening statement and for the pur- 
pose of questioning witnesses under the five-minute rule after all 
members of the subcommittee and the committee have been recog- 
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nized. Is there objection? Hearing none, I would ask the gentleman 
from Texas, who is a cosponsor of H.R. 1543 which addresses the 
Vail letter, if he has an opening statement. 

Mr. Sessions. I thank the chairman and appreciate you allowing 
me to be here today. I have got to be on the floor in a few minutes, 
when they are ready for the new rule. 

Mr. Chairman, I would like to thank you for inviting me to join 
you at this hearing on the Fair Credit Reporting Act, FCRA, as it 
pertains to employee background checks and the collection of med- 
ical information. I am pleased to be rejoining the chairman and my 
esteemed former colleagues on the Financial Services Committee to 
discuss an issue that has long been of great interest to me. 

I would also like to thank my colleague from Alabama, the Chair- 
man, for scheduling this important hearing, for your strong leader- 
ship on the issue, and for your diligent oversight on all aspects of 
FCRA. Certainly, Chairman Bachus’s efforts are commendable, and 
by holding this hearing today he will help Congress to take the 
first step toward making the workplace a better and safer place for 
all working Americans. 

Mr. Chairman, in order to provide a historical context to this 
hearing, I would like to recount briefly the events that have 
brought us here today. In 1999, the staff of the Federal Trade Com- 
mission issued an opinion known as the Vail opinion, concluding 
that outside consultants who perform investigations of alleged em- 
ployee misconduct are considered to be credit reporting agencies. 

As a result, outside consultants and the employees who hire 
them to help ensure unbiased workplace safety are subject to a 
number of burdensome and unintended restrictions on their ability 
to perform these investigations safely, professionally, and effi- 
ciently. Accordingly, they are hampered in performing many kinds 
of workplace investigations, including employee complaints of sex- 
ual harassment, discrimination and threats of violence. For the last 
few Congresses, I have introduced legislation to fix this problem by 
removing the FCRA requirements for investigations of suspected 
misconduct related to employment and to compliance with existing 
laws and preexisting written policies of the employer. 

This proposed legislation also respects the rights of the subject 
of the workplace search, while removing employers from the oner- 
ous and potentially dangerous requirement to notify their subject 
prior to beginning an investigation. The removal of this require- 
ment is important because it prevents violence from employees, 
from giving them time to cover their tracks, or to initiate intimida- 
tion against coworkers who make or corroborate complaints, and 
are an integral part to ensuring the veracity of data included in 
these complaints. 

Mr. Chairman, back in 1997 when a constituent brought the 
problems to me that she was having as a result of the Vail opinion, 
I was shocked to learn that federal law requires an employer who 
suspects that an employee is dealing drugs or engaged in other 
misconduct at the workplace to ask that employee’s permission be- 
fore beginning an investigation. 

Furthermore, I was greatly dismayed to find that federal law 
would also require that the same employer to provide to a poten- 
tially violent employee with a report identifying the coworker who 
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made or who corroborated those allegations of wrongdoing, making 
those helpful employees who were only trying to make the work- 
place safer a target for violence or retribution, and placing them- 
selves in harm. 

This important legislation that I have introduced removes re- 
quirements of the federal Fair Credit Reporting Act solely for the 
purpose of having unbiased third party professional investigations 
of illegal or unsafe activities in the workplace. These limited activi- 
ties include drug use or the sale of drugs, violence, sexual harass- 
ment, employee discrimination, job safety or health violations, and 
criminal activities including theft, embezzlement, sabotage, arson, 
patient or elderly abuse, and child abuse. 

I believe that it is critical for Congress to pass this legislation in 
order to make our workplaces safer, to stop illegal activities such 
as drug dealing, and to identify dangerous employees so that they 
can be provided with treatment before violence occurs. This legisla- 
tion offers Congress the opportunity to replace illegal and dan- 
gerous activities in the workplace with investigation and remedi- 
ation. I think that this is precisely the goal for which we should 
all be striving. 

I also would like to thank the panel that is before us, many of 
whom have come from all over the country to share their experi- 
ences with the Vail opinion and FCRA with us today. I look for- 
ward to hearing their testimony on the issue. 

I would also like to thank the 16 members of Congress on both 
sides of the aisle who have cosponsored this bipartisan legislation. 
I want to thank you, Mr. Chairman, for your leadership, and I ap- 
preciate the time you have given me today. 

[The prepared statement of Hon. Pete Sessions can be found on 
page 58 in the appendix.] 

Chairman Bachus. Thank you. 

Are there any other members wishing to make an opening state- 
ment? If not, I would like to welcome our first panel, which deals 
with the role of FCRA in employee background checks. Our panel- 
ists consist of, from my left, Mr. Christopher P. Reynolds, partner 
in the law firm of Morgan, Lewis and Bockius, on behalf of the U.S. 
Chamber of Commerce. I noted that you were a U.S. Attorney for 
the Southern District of New York. 

Mr. Reynolds. Mr. Chairman, I would hasten to say that I was 
an assistant U.S. Attorney for the Southern District. 

Chairman Bachus. Assistant U.S. attorney, and dealt with many 
cases involving employee and employment matters. 

Mr. Reynolds. Yes, I did, Mr. Chairman. 

Chairman Bachus. Our second panelist is Mr. Harold Morgan, 
senior vice president, human resources, at Bally Total Fitness Cor- 
poration, on behalf of the Labor Policy Association, and previously 
with Hyatt Corporation where you were director of employee and 
labor relations. Our third panelist, at the request of Mr. Sanders, 
is Mr. Lewis Maltby, president of the National Workrights Insti- 
tute. We welcome you, Mr. Maltby. Mr. Sanders also requested the 
testimony of Ms. Margaret Plummer, director of operations for 
Bashen Consulting. We welcome you as a panelist. 

Our final panelist on the first panel is Mr. Eddy McClain, chair- 
man of Krout and Schneider, on behalf of the National Council of 
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Investigation and Security Services. Mr. McClain, you are a former 
private investigator on work-related investigations? 

Mr. McClain. Yes, sir. 

Chairman Bachus. So we welcome you. 

At this time, Mr. Reynolds, we would recognize you for your 
opening statement. 

STATEMENT OF CHRISTOPHER P. REYNOLDS, PARTNER, MOR- 
GAN, LEWIS AND BOCKIUS, LLP ON BEHALF OF THE U.S. 

CHAMBER OF COMMERCE 

Mr. Reynolds. Thank you, Mr. Chairman, and distinguished 
members of the subcommittee. Good morning. 

I am grateful to you for the privilege of testifying before you 
today. In the interests of time and with your permission, I will 
summarize my written testimony. My purpose today is to testify on 
behalf of the U.S. Chamber of Commerce regarding FCRA’s affect 
on employee background checks and employer investigations into 
workplace conduct. 

I do that on the basis of my experience as a partner at Morgan, 
Lewis and Bockius representing employers in litigation, investiga- 
tions, and providing advice and guidance; as a member of the 
American Bar Association’s Labor Section and Equal Employment 
Opportunity Committee; and as also a member of the Securities In- 
dustry Association’s Legal Division. 

Mr. Chairman, the reauthorization of FCRA’s uniform standards 
provisions is terribly important to the members of the Chamber 
and to the efficient functioning of the national credit system. With- 
out those standards, we would be faced with a complex and con- 
fusing web of conflicting state standards that could only impede the 
availability of credit and limit the access of small businesses to the 
credit that will help them grow and survive tough economic times. 
We urge this committee at a minimum to preserve those standards. 

The two issues that also concern the Chamber beyond reauthor- 
ization would be the background check issue and the workplace in- 
vestigation issue. Concerning background checks, our primary con- 
cern is not with existing law, but with the possibility that new pro- 
visions will be added, provisions that hurt an employer’s ability to 
ensure workplace integrity and workplace safety by obtaining reli- 
able job-related information compelled by business necessity on ap- 
plicants and employees. 

Now, employers use these background checks to make sure their 
workplaces are safe and secure. We need them. A recent study by 
the Avert Internet-based screening firm found that 24 percent of 
1.8 million applications in the year 2000 were submitted with mis- 
leading or negative information. The Society for Human Resources 
Management found in a 1998 survey that 45 percent of employers 
found that an applicant had lied concerning their criminal record. 
Many states impose on employers the potential liability for neg- 
ligently hiring someone who is a danger to the safety and security 
of the workplace. Background checks allow us to avoid that liability 
and fulfill our legal duty. 

Against the painful backdrop of September 11, the public and 
this government also increasingly expect employers to use back- 
ground checks. According to a Harris interactive poll in 2002, 53 
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percent of employees want their employers to conduct more de- 
tailed background checks of applicants and coworkers to ensure 
safety. In this session alone, Congress has introduced 21 different 
bills requiring background checks for workers. It is a clear signal 
that the government expects employers to use them. 

The Chamber understands and appreciates that there is a nec- 
essary and welcome balance between workplace security and pri- 
vacy. We believe that the existing FCRA provisions of consent, no- 
tice and disclosure provide that balance. We also believe that the 
nation’s existing equal employment laws provide a ready remedy 
for any company or employer that abuses background checks for 
discriminatory purpose. We also note the numerous State laws that 
restrict or limit the ability of employers to use information in back- 
ground checks improperly. 

If you do make changes to FCRA on the background check issue 
beyond its reauthorization, we urge you to allow employers who use 
contract workers to have access to the contractor’s background 
check information without converting that contractor into a con- 
sumer reporting agency. There are many safety-sensitive industries 
that use contract workers and the underlying employer needs that 
information to ensure safety. 

Now, with your permission, Mr. Chairman, let me echo your pre- 
vious comments on the Vail letter. The issue is simple. The FTC 
through the Vail letter has thrown up a roadblock to the effective 
use of workplace investigations of employee misconduct. We under- 
stand that the FTC will not retract that letter unless Congress 
acts. The Chamber urges that action. 

Employers are instructed by statute in the case of Sarbanes- 
Oxley; instructed by the Supreme Court in the case of the 
Faragher-Ellerth precedent; and by regulations of the Equal Em- 
ployment Opportunity Commission to conduct thorough, effective 
and objective investigations. Often, the only effective way to do 
that is through an outside firm or investigator. Under Vail, there 
is a requirement for notice and consent provisions that would re- 
quire almost immediate notice to the object of that investigation. 
That fundamentally guts the investigation’s effectiveness. Just a 
quick example. Say that I receive a request to investigate a senior 
executive for a sexual harassment complaint. Under the Vail letter, 
I am obligated to advise that senior executive before I begin my in- 
vestigation that he or she might be the object of a complaint, and 
therefore that is going to constrict greatly the ability to find out 
what happened and take appropriate remedial action. There is sim- 
ply no way to satisfy both Vail and the need to investigate effec- 
tively workplace conduct. 

Against that backdrop of increased corporate responsibility for 
self-monitoring, we believe that this choice must be resolved the 
way Congress intended under Sarbanes-Oxley, the way the Su- 
preme Court dictated in Faragher-Ellerth, and the way the EEOC’s 
guidance has laid out in favor of effective investigations. The 
Chamber believes that H.R. 1543 is the right step to address that 
concern and we urge its passage. 

Mr. Chairman, thank you. 

[The prepared statement of Christopher P. Reynolds can be found 
on page 121 in the appendix.] 
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Chairman Bachus. Thank you very much, Mr. Reynolds, for that 
testimony. 

Mr. Morgan? 

STATEMENT OF HAROLD MORGAN, SENIOR VICE PRESIDENT, 

HUMAN RESOURCES, BALLY TOTAL FITNESS CORPORATION, 

ON BEHALF OF THE LABOR POLICY ASSOCIATION 

Mr. Morgan. Thank you very much. Do not worry. I will not be 
asking the members of the committee to do exercises before we 
begin the testimony today. 

[LAUGHTER] 

This morning, I have two simple and basic messages regarding 
FCRA. The first is please do not make it any harder to keep our 
workplaces safe. And two, if possible, please help us to make it 
easier to keep our workplaces safe. 

I am sure the original intent and the purpose for expanding 
FCRA to include background checks was to ensure that potential 
employees were guaranteed certain rights and privileges if their 
backgrounds were checks. I am sure the same thought applies to 
investigations in the workplace. However, the actual on-the-job re- 
ality of FCRA makes it increasingly difficult to maintain a safe 
workplace. 

Many individual states have added to these restrictions on top of 
FCRA. The FCRA regulations, in addition to the additional State 
laws, really cut to the heart of workplace safety. The fact of life 
today is that every critical public or stakeholder that has anything 
to do with our operations expects me to run a safe workplace. The 
duty and trust and obligation of maintaining this safe workplace is 
even more difficult in businesses such as mine where you have 
large amounts of employees, a lot of employee turnover, and where 
you are dealing with customers on a minute-to-minute basis. 

So by way of introduction, this is the overview of where we are 
coming from on FCRA. But what is at the heart of the problem? 
The problem is that to make hiring decisions with increasingly 
more difficult limits and restrictions on what we cannot and can 
look at is unrealistic and is increasingly compromising workplace 
safety. For instance, should I hire someone to be a childcare at- 
tendant who has several arrests, but no convictions for child moles- 
tation? Should I hire a salesperson who has information regarding 
credit cards and financial information about a potential customer, 
but who has a deferred adjudication for fraud? Should I hire a per- 
sonal trainer who has been arrested for assault and battery, but 
has pled down to a misdemeanor, or who has a conviction that is 
over seven years old? The problem with FCRA and the additional 
State laws is that I cannot use this information in making employ- 
ment decisions. 

Congressmen and congresswomen, I believe that this is playing 
roulette with the safety of everyone involved in the workplace. Em- 
ployers cannot be subject to courtroom standards in order to keep 
their workplaces safe. The reality of life is that I should not hire 
the personal trainer with several arrests, but no convictions, and 
I should not hire the childcare attendant who has pled down to a 
misdemeanor for child molestation. Nevertheless, FCRA and the 
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State laws suggest that I should not consider any of this informa- 
tion in making my employment decision. 

The other issue, which Mr. Reynolds has covered, is Vail. Very 
simply, this makes it difficult to conduct investigations in the 
workplace, which all of you would agree is something that should 
be done and should be done in a fair and consistent manner. Vail 
only results in a chilling effect on people coming forward regarding 
workplace misconduct and problems that are going on in the work- 
place. Investigations should be able to be done and proceed in a 
way that does not limit us and that affords all people involved a 
great deal of confidentiality. 

As I said in the beginning, please help us to make workplaces 
safer. In order to do that, I would suggest five key issues. First, 
please allow us to look at criminal backgrounds without any time 
limitations. Second, please allow us to consider arrests in looking 
at the totality of an individual’s background regarding their suit- 
ability to work in a particular place. As long as we are within the 
EEOC guidelines, the burden of proof beyond a reasonable doubt 
should not be a standard that applies in the workplace. 

Three, please give us access to national databases so that we do 
not have to go to thousands of jurisdictions to see if someone 
should or should not be an employee regarding what they have 
done in their past. Please give us a safe harbor from more restric- 
tive State laws, provided that FCRA is adhered to from a regula- 
tion standpoint. And fifth, please allow us to conduct any and all 
investigations regarding workplace misconduct in a confidential 
manner and not subject to FCRA. 

Last and certainly to highlight this issue, in 1999, as all of us 
are aware, several terrorists tried to come through the Canadian 
border to blow up the LAX airport in celebration of the millennium. 
The identities that these folks were using were partially stolen out 
of databases of my company. Now, we have since closed up that 
issue regarding our databases. 

The employee that was involved in selling off these identities to 
the terrorists had a complete criminal background screen that I 
conducted; was drug tested; and every attempt was made to make 
sure that this employee, like all of my employees, were safe in the 
workplace. Nevertheless, those identities were sold and those iden- 
tities were given to the terrorists that were fortunately caught be- 
fore they were able to set up a bomb at LAX airport. 

The point is this: It is difficult enough to make decisions about 
the unknown and about what may happen in the workplace. Please 
at least let us make decisions regarding what is known. 

[The prepared statement of Harold Morgan can be found on page 
82 in the appendix.] 

Chairman Bachus. Thank you very much. 

Our next witness is Mr. Lewis Maltby. Mr. Maltby, I mentioned 
that you were with the National Workrights Institute. I did not 
mention that you were the founder of that Institute, so we very 
much welcome your testimony. We know you as a nationally recog- 
nized expert on employee rights in the workplace. 
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STATEMENT OF LEWIS MALTBY, PRESIDENT, NATIONAL 
WORKRIGHTS INSTITUTE 

Mr. Maltby. Thank you, Mr. Chairman, and thank you for invit- 
ing me to be here this morning. 

Let me say from the very beginning, I have no problem, no objec- 
tion to pre-hire investigations. I have three school-age children. 
Every morning, I put them on a school bus. I do not want anyone 
behind the wheel of that school bus with DUI convictions. 

But it is not always that simple. There are many situations in 
which pre-hire investigations occur in ways that simply are not fair 
and do not help anyone. For example, at least 2.5 million people 
every year are required to take so-called honesty tests to get a job. 
There is nothing wrong with employers wanting to hire honest peo- 
ple, but honesty tests fail at least four honest people for every dis- 
honest person they screen out. That is a very high price for a lot 
of honest people to pay for businesses to get a dubious advantage 
at best. 

Personality tests are extremely common. They are not inherently 
wrong. Someone who would do very well in a laid-back Silicon Val- 
ley company might not do so well in a very straight-laced Wall 
Street firm. But some of the questions on these tests I would not 
ask my wife. There are questions about your religious belief, your 
sex life, even your bathroom habits on some of these common per- 
sonality tests. With all due respect to Mr. Reynolds, I do not know 
why you have to ask an employee about their bathroom habits to 
tell if they are going to be a productive and safe employee. 

I mentioned criminal records checks. There are many cases 
where that is totally appropriate, like the one with my children. On 
the other hand, there are many employers in America today that 
will not hire a person for any job at any time in their lives if they 
have ever been convicted of anything. You could be, and sometimes 
are, denied a job as a 40-year-old electrician because when you 
were 19 you shoplifted a CD. There is something wrong when em- 
ployers go to that incredible unreasonable extreme. 

The worst part of all of this is the way the information is being 
used. If this information were being used as something to inform 
the judgment of a seasoned HR professional, I would not be so con- 
cerned. But what is happening is, the machines are taking over. 
The test results are trumping the evaluation and the judgment of 
the HR professional. If the honest test says you are dishonest, I 
don’t care if you are a nun, and this is a real case, the HR person 
cannot say, “Well, the test is obviously wrong.” They can’t and they 
don’t. If the test says you are dishonest or you don’t fit or anything 
else, you are simply out. That is not the way things ought to be 
done. 

Regarding the Vail letter, let me not belabor the obvious, except 
to say Mr. Morgan and Mr. Reynolds are right. There is a problem 
here. As a civil rights lawyer, I want to see investigations of al- 
leged sexual harassment or racial harassment or other civil rights 
violations conducted quickly, thoroughly and effectively, and the 
Vail letter as it stands is an obstacle. The real question is, how do 
we fix the obstacle? Mr. Sessions has certainly taken us the first 
step in that direction. It is clearly surreal, maybe that is too kind, 
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to say we have to tip off the person we are investigating and get 
their permission before we conduct an investigation. 

But that is not the entire situation we have to deal with. What 
if, for example, the employee is innocent? Perhaps the investigation 
clears them. Shouldn’t they be told after the investigation is over 
that they were investigated and they were cleared, and being 
shown a copy of the report? Is it really fair that that report should 
follow them for the rest of their career, or at least their career at 
this company, and they don’t even know it happened? I do not 
think so. 

For example, what if there never was any genuine suspicion of 
wrongdoing? Pretext investigations are not common, but they hap- 
pen. We do not want a law that says that a company can inves- 
tigate somebody whose real offense is trying to organize a union on 
the pretext they have stolen a pencil. The law ought to require that 
there be a genuine suspicion of wrongdoing before the investigation 
starts in the first place. And whatever minimal standards the 
FCRA contains about fairness and accuracy in conducting the in- 
vestigation and compiling the report should not be lost either. 

I know that none of those problems were intended to be created 
by Mr. Sessions’s bill, but we need to do more than just simply 
crudely yank criminal investigations in the workplace out from 
under the FCRA. It has to be done in a more nuanced, thoughtful 
fashion. Mr. Sessions’s bill is the first step, but it is not the only 
step. 

From having looked at the issues, I see nothing here that people 
of good will and intelligence could not resolve, given discussion. We 
have already had some discussions on these matters and I am con- 
fident that if allowed to continue we could reach a resolution that 
would accomplish Congressman Sessions’s objectives and the con- 
cerns of people like me in the civil rights world. 

Thank you. 

[The prepared statement of Lewis Maltby can be found on page 
60 in the appendix.] 

Chairman Bachus. Thank you, Mr. Maltby. 

We would also welcome coming together on this issue. We are 
also optimistic that we can do that. 

Ms. Plummer, I previously recognized you. You actually manage 
EEOC claims, risk management services, quality assurance, and 
consultant supervision for Bashen. I noted that you practiced busi- 
ness and employment law with the firm of Randolph, Hunter in 
Greenville, South Carolina, so you also have litigation experience 
in employment matters. We welcome you. 

STATEMENT OF MARGARET PLUMMER, DIRECTOR OF 
OPERATIONS, BASHEN CONSULTING 

Ms. Plummer. Thank you very much, and also thank you to the 
members of the subcommittee for having us here today. 

Bashen Consulting is a minority-owned human resources con- 
sulting firm that has conducted thousands of employment discrimi- 
nation, harassment and ethics investigations for companies nation- 
wide. I thank you for allowing us to participate in these important 
discussions regarding the role of the FCRA in employment-related 
investigations. 



15 


The Federal Trade Commission’s interpretation of the FCRA as 
expressed in the 1999 Vail opinion letter will have a chilling effect 
on the efforts of employers to prevent and correct unethical dis- 
criminatory and harassing behavior in the workplace. 

In 1998, the Supreme Court profoundly changed the workplace 
harassment landscape. It became clear that for employers to pro- 
tect themselves, they must implement effective policies and com- 
plaint procedures, conduct prompt and thorough investigations of 
employee complaints, and take remedial action. Today, courts and 
government agencies charged with enforcing civil rights legislation 
examine not only the fundamental question of whether unlawful 
conduct occurred, but the quality and integrity of the employer’s in- 
vestigation of the alleged conduct. 

Many employers naturally seek the experience and expertise of 
qualified third parties to thoroughly and impartially investigate 
employee concerns. Countless companies, especially small compa- 
nies, do not have the internal resources or skills to investigate em- 
ployee complaints. In many situations, companies hire third parties 
to ensure that maximum credibility is given to the investigation, 
often due to the sensitive nature of the allegations or the high-level 
position of the alleged wrongdoer. 

I recently conducted an investigation for a large corporation in 
which a human resources staff member complained that he was 
discriminated against based on his national origin when he was de- 
nied a promotion. The company would have been placed in the un- 
tenable position of having its human resources department police 
itself if the investigation was conducted in-house. 

The HR department recognized its potential conflict of interest, 
and more importantly the appearance of a conflict if the investiga- 
tion failed to support the staff member’s claim. The company hired 
Bashen Consulting to ensure the integrity of the investigation. 
However, according to the FTC this company would be subject to 
increased liabilities and requirements because they hired experts 
in the field instead of investigating the complaint internally. 

Under the FTC’s interpretation, companies striving to comply 
with civil rights legislation must now decide between the risk of 
uncapped damages under the FCRA if they request an investiga- 
tion, and the limited damages available under civil rights laws if 
they fail to investigate at all. Companies would also be required to 
obtain a written authorization by the alleged wrongdoer to conduct 
the investigation. The notion that an accused harasser must con- 
sent to an investigation of his inappropriate behavior is contrary to 
common sense. 

More alarming is the detrimental effect the FTC’s interpretation 
of the FCRA poses for employees. The law would require the com- 
pany to provide the alleged wrongdoer with a complete copy of the 
investigative report. These reports identify witnesses and the infor- 
mation each provided, and producing it would irreparably com- 
promise the confidentiality of the investigation. 

Absent assurances of confidentiality, the FCRA will create a 
chilling effect on witnesses’s willing participation in the investiga- 
tory process. Many victims will be too intimidated to complain, 
thus undermining the expressed intent of all workplace civil rights 
legislation. The impact of applying the FCRA to employment inves- 
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tigations is monumental. It would erode the great strides compa- 
nies have made toward eliminating discrimination and harassment. 

H.R. 1543 will remove these roadblocks to progress by excluding 
workplace investigations from the FCRA’s purview. We commend 
Representatives Sessions and Jackson Lee for their leadership on 
this issue and urge you to amend the FCRA accordingly. 

Thank you. 

[The prepared statement of Margaret Plummer can be found on 
page 105 in the appendix.] 

Chairman Bachus. Thank you very much. 

Mr. McClain, we note that you have lectured at UCLA and other 
California colleges and universities, so this ought to be a piece of 
cake, after doing that. 

STATEMENT OF EDDY MCCLAIN, CHAIRMAN, KROUT & 

SCHNEIDER, INC., ON BEHALF OF THE NATIONAL COUNCIL 

OF INVESTIGATION AND SECURITY SERVICES 

Mr. McClain. Thank you, Mr. Chairman. Thank you to the com- 
mittee. 

I am chairman of Krout and Schneider, which is a 76-year-old 
firm, but I have only been a licensed investigator for 47 years. I 
am appearing today on behalf of the National Council of Investiga- 
tion and Security Services, NCISS, which represents investigative 
and protective service companies and their state trade associations 
throughout the United States. We appreciate the opportunity to 
discuss the FCRA. 

Besides many small-and mid-size employers, even many Fortune 
100 firms hire third parties for their expertise and impartiality. 
The FTC says any person who regularly conducts employment in- 
vestigations is a consumer reporting agency under the law. We 
agree that is what the law says, even before Vail, but we believe 
that investigators of workplace misconduct should not be des- 
ignated as consumer reporting agencies and the reports should not 
be classified as consumer reports. 

The 1996 amendments to the FCRA have substantially set back 
progress, as Ms. Plummer said, on sexual harassment and discrimi- 
nation. The EEOC recommends prompt, thorough and impartial in- 
vestigation of sexual harassment, but the Act provides no expla- 
nation or suggestion of what an employer should do if an accused 
person refuses to give his or her permission to be investigated. 

Regarding violence, when an employee exhibits symptoms of de- 
rangement, the last thing the employer wants to do is ask the em- 
ployee for permission to investigate him. My firm is often hired to 
assist employers to deal with potentially violent employees. It is 
not uncommon to have little or no background information in a per- 
sonnel file. 

In addition to public records and surveillance, we need to conduct 
covert neighborhood interviews. Neighbors are often aware of sus- 
picious activity, proclivity toward firearms ownership, and even 
knowledge of explosives. Since the 1996 amendments, the report of 
such an investigation would be considered an investigative con- 
sumer report and it would be unlawful for the employer to order 
such an investigation without disclosure and permission. The rami- 
fications of advising such an employee that he is going to be inves- 
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tigated, then giving him a report of what witnesses said about him 
are obvious. 

Many business failures are the result of employee theft. When 
businesses fail, employees lose their jobs. These are the same em- 
ployees the FCRA is supposed to protect. Investigation of embezzle- 
ment requires stealth and expertise. Embezzlers are usually in the 
best position to cover their tracks. 

Yet before an employer can hire an outside expert to investigate 
embezzlement, written permission must be obtained. Illicit drugs 
are a scourge on our society. Seven percent of American workers 
use drugs on the job, but the FCRA makes it very difficult to ferret 
out drug dealers from the workplace. 

Regarding intellectual property and trade secret theft, prior to 
the 1996 amendments employers were able to hire impartial ex- 
perts to covertly conduct sensitive investigations that would not be 
possible today. For example, my firm was engaged to investigate an 
alleged theft of trade secrets by a Fortune 100 defense contractor. 
Using a combination of public record information, surveillance and 
undercover techniques, we were able to determine the facts. 

A salesman, marketing manager and a production chief had con- 
spired with a scientist to form a competing company that was bid- 
ding on the same government contracts. Although one conspirator 
left our client’s employ, he was fed information by the other two 
who remained as moles. Not only were the scientific secrets being 
disclosed, but bidding information allowing the competitor to slight- 
ly undercut their pricing on closed bids. This successful prosecution 
would have been nearly impossible if our client had to notify the 
culprits in advance of the investigation. 

Conversations with witnesses are considered to be interviews and 
our report to be an investigative consumer report. The employer 
must advise the accused of the nature and scope of the investiga- 
tion, and before taking any adverse action against an employee, a 
complete unedited copy of the report must be provided to the em- 
ployee no matter how felonious their behavior. Since the advent of 
the 1996 amendments, many of our labor lawyer clients have ad- 
vised their clients not to risk investigations, even in the face of sig- 
nificant losses or danger to coworkers. The reason is the attorneys 
do not wish to provide subjects with a copy of the investigative con- 
sumer report. 

We strongly support Representative Sessions’s H.R. 1543. This 
bipartisan measure would make clear the investigations of em- 
ployee misconduct are exempt from the disclosure and authoriza- 
tion requirements, while still providing protections for consumers 
and employees. H.R. 1543 does not change the permission require- 
ment for access to credit reports. It also would require that after 
taking adverse action against an employee, an employer must pro- 
vide a summary containing the nature and substance of the com- 
munication upon which the action is based. 

At the FTC, former Chairman Pitofsky recommended Congress 
consider a legislative change to remedy the unintended con- 
sequences of the 1996 amendments. Last month, Howard Beales 
made the same recommendation to this committee. We hope action 
will finally be taken. 

Thank you for your attention. 
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[The prepared statement of Eddy McClain can be found on page 
63 in the appendix.] 

Chairman Bachus. I thank the gentleman. 

My first question, Ms. Plummer. Prior to the FTC letter, was 
there any indication that Congress intended the Fair Credit Re- 
porting Act to apply to workplace discrimination or harassment in- 
vestigations? 

Ms. Plummer. There is no indication whatsoever, either in the 
intent or purposes section of the statute or within the contents of 
the statute. 

Chairman Bachus. Thank you. 

Mr. Reynolds, you testified that the Vail letter makes it virtually 
impossible to use third party investigators, particularly since fail- 
ure to comply with FCRA can result in unlimited liability, includ- 
ing punitive damages. And yet in many cases, employers lack the 
resources, skills and fairness to do those investigations in-house. 
What do these employers end up doing? 

Mr. Reynolds. Mr. Chairman, those employers are caught be- 
tween a rock and a hard place in fulfilling the mandates of the reg- 
ulatory schemes that I mentioned earlier and Supreme Court 
precedent. Often they make the choice, a tough choice, but the 
choice to protect their employees and to do the investigation none- 
theless in a way that allows for the safety and integrity of the 
workplace. Employers should not be put to that choice by the Vail 
letter. 

Chairman Bachus. Thank you. 

In your opening statement you mentioned Sarbanes-Oxley and 
some of the requirements of that Act. If a company finds itself in 
a potential Enron-WorldCom-type situation and decides that it 
needs to investigate some top management for financial impro- 
priety, does the Vail letter pose a problem? 

Mr. Reynolds. The Vail letter poses a significant problem. 
Under Sarbanes-Oxley, often corporate boards and management 
will reach out, and are in fact encouraged to reach out to third 
party objective investigators. Under the Vail letter, once that inves- 
tigation begins, even before the investigation begins, consent has to 
be obtained from the subject or object of that investigation. As Mr. 
McClain has testified, that has the effect of completely negating 
the ability to gain a fair and complete picture of the facts, which 
is precisely what Sarbanes-Oxley went to. 

Chairman Bachus. Thank you. 

Mr. Morgan, suppose you want to investigate the head manager 
of a fitness center, how does FTC’s Vail letter make it more dif- 
ficult? 

Mr. Morgan. I would have to inform them and get consent prior 
to that occurring. In a lot of cases, there are things going on that 
you don’t wish them to know about or you don’t wish them to know 
because they could cover their tracks. If someone was stealing 
money from the facility or if that particular manager was sexually 
harassing one of my employees, I would certainly want an inves- 
tigation done in a way that I could get all the information before 
I made a fair and balanced decision. 

Chairman Bachus. Okay, thank you. 
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Mr. McClain, if a third party investigator uncovers significant 
evidence of employee wrongdoing, such as racial or sexual harass- 
ment, what stops the wrongdoer from disputing every item, par- 
ticularly the testimony of the victims? 

Mr. McClain. Nothing would stop him, Mr. Chairman. One of 
the major problems that I have with on the sexual harassment 
issue is when we get an assignment like that from a client, the 
first thing that we do is we ask our client to get permission from 
not only the accused, but also the accuser. The reason is we want 
to establish the credibility of the accuser and oftentimes, not as 
often as the other way, but sometimes people do conspire to give 
false information. 

So talk about a chilling effect, when someone, take a fairly new 
employee who is in the probationary basis trying hard to hang onto 
their job and is being hit on by a supervisor, so they reluctantly 
go to management, to HR, because they have heard that they 
should report this kind of activity. So they reluctantly go forth and 
report this, and then management has to turn around and ask 
their permission to investigate them. Of course, any other wit- 
nesses that would come forth, we investigate them, too, because we 
need to know who all the players are and try to determine what 
their interests are to be impartial and fair. 

So it just doesn’t work. As I said before, what do we do when 
someone refuses to give permission to be investigated? The em- 
ployer is within his rights to terminate him for failure to cooperate 
with an investigation, but that in itself could be unfair. Maybe the 
person does not want to agree just on general principles. So it cre- 
ates many unintended consequences, I believe. 

Chairman Bachus. In fact, I think two or three of the panelists 
mentioned the EEOC, which actually asks us to protect the identity 
or protect the witnesses. But under this FTC letter, actually, you 
cannot protect their identities. In fact, you go to the wrongdoer and 
give him this information which could actually expose them to dan- 
ger. 

Mr. McClain. Some people think it is a hit list. 

Chairman Bachus. Okay, a very good point. 

Mr. Maltby, you testified about the bill introduced by Represent- 
ative Sessions and other members as a step in the right direction, 
I believe, but not a complete solution. What additional changes 
would you recommend, particularly since employers can avoid any 
FCRA requirements simply be conducting investigations in-house? 

Mr. Maltby. Mr. Chairman, if I could give you a complete and 
thorough set of standards for how to get the guilty without vio- 
lating the rights of the innocent, I would be a much smarter man 
than I am. I can mention two or three critical points. One is we 
need to have protection against pretext investigations. They are not 
common, but they do occur. It is not clear that Congressman 
Sessions’s bill addresses that issue. 

We need to have people be able to see the results of the inves- 
tigation, possibly with certain information redacted, at whatever 
time is appropriate. You obviously cannot show someone, especially 
if they are guilty, the results of the investigation in mid-stream, 
but at some point the investigation is over. There is nothing left 
to compromise and the employee, guilty or innocent, ought to be 
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able to see the report, again possibly with certain information re- 
dacted. 

There are provisions, I believe, in the Fair Credit Reporting Act, 
not terribly strong, to be sure, but I believe they exist, that set 
some sort of minimal standards for the fairness of the process and 
the accuracy of information. Those would be lost if we took em- 
ployee investigations completely out from under the jurisdiction of 
the FCRA. I do not think anyone wants to do that. 

I would be happy to submit additional suggestions to the Chair 
in a very short time, if I might have permission to do that. 

Chairman Bachus. Thank you, and we would welcome that. 

At this time, the gentleman from North Carolina, Mr. Watt. 

Mr. Watt. Thank you, Mr. Chairman. 

I would welcome a copy of Mr. Maltby’s follow-up also. Mr. 
Maltby, you seem to be a little outnumbered on this panel. 

Mr. Maltby. I am not, Congressman. 

Mr. Watt. Not necessarily. I am trying to find common ground 
here, rather than trying to score points about who is right and who 
is wrong, because there is some right, as you acknowledged, on 
both sides of this issue. 

So that I can explore that common ground, let me talk to Mr. 
Reynolds and Mr. Morgan for a little bit here, about their reactions 
to the things that Mr. Maltby has proposed. He, as I was jotting 
down what he said, agrees that the prior consent requirement of 
Vail is probably not a good thing. I think most people would prob- 
ably agree with that. I take it you all agree with that. 

Mr. Reynolds. Yes, Congressman. 

Mr. Watt. Check one for common ground there. 

On pretext investigations, he thinks there ought to be some ex- 
plicit protection that says you cannot use criminal or other back- 
ground information as a pretext to try to eliminate somebody. 
What do you think about that? 

Mr. Reynolds. Congressman, there are already provisions in ex- 
isting law to cover that. 

Mr. Watt. What law? 

Mr. Reynolds. For example, under Title VII, if an employer 
were to use a criminal background check as a pretext where the 
real purpose, for example, was to discriminate, that would clearly 
violate Title VII. 

Mr. Watt. So what you are saying is we just need to reconcile 
EEOC Title VII and the Fair Credit Reporting. Is that an explicit 
provision or is that case law? 

Mr. Reynolds. That is case law, and it is commonly held case 
law that has been in place since the 1970s. 

Mr. Watt. And you agree with that, so if we could figure out 
some way to get those things consistent, you would be happy with 
that? 

Mr. Reynolds. Congressman, I believe they are already con- 
sistent. Title VII is in existence. The case law is quite explicit. 

Mr. Watt. Okay, but if we made it explicit under Fair Credit Re- 
porting that you cannot do pretext, would that be something you 
and Mr. Morgan would object to? 

Mr. Reynolds. At least from my standpoint, Congressman, I be- 
lieve the pretext issue is covered completely by both Title VII and 
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the courts and I do not see a need to add to the provisions of FCRA 
in order to address that issue. 

Mr. Watt. Okay, well, I think you are missing my point. You 
have one law that doesn’t say anything about it, and another law 
that says something explicit about it, at least in case law, and you 
all are testifying that there is a conflict here. Couldn’t we reconcile 
that by simply making it explicit? That is the question I am asking. 
I am looking for common ground here. Am I missing something 
here? 

Ms. Plummer, would I be chasing the wrong dog if I tried to just 
make explicit what Mr. Reynolds says is already over there some- 
where in another area, but if we just put it in Fair Credit Report- 
ing, would that be okay with you? 

Ms. Plummer. No, it would not be okay. 

Mr. Watt. Okay, then why wouldn’t it be okay? 

Ms. Plummer. The effect of doing that would be to muddy the 
waters because Title VII and the case law that follows it do com- 
pletely cover the issue of pretext based on protected class status. 
If you then add that to the FCRA, you are simply adding yet an- 
other burden, yet another interpretation that has to be made of 
that law. 

Mr. Watt. But Mr. Reynolds just told me that I am not adding 
anything because FCRA is already subject to Title VII. So why 
would I care about making that explicit? 

Ms. Plummer. You would not be adding anything to the rights 
of the employees or to the citizens, but you would be adding yet an- 
other layer of judicial interpretation of the statute that employers 
would have to combat. As we can see here, the language in the ex- 
isting statute has brought us all here today. So my concern if we 
attempt or Congress attempts to clarify pretext in the FCRA, it will 
lead to confusion. 

Mr. Watt. Mr. Maltby, what do you say to this? I am trying to 
be an honest broker here and walk down the middle. 

Mr. Maltby. Congressman, I would not say you are chasing the 
wrong dog, but I would say you are missing a lot of the pack. 

Mr. Watt. Okay. Go ahead. 

Mr. Maltby. I actually think Mr. Reynolds is correct. 

Mr. Watt. All right. 

Mr. Maltby. If the investigation is a pretext for getting the black 
employee out of the workplace because of some sort of racial bias, 
I think he may be right; that that is already adequately addressed 
by Title VII. But that is one of 100 possible reasons for pretext. 

What if the real reason for launching the investigation is because 
the person is organizing a union, or they are a woman who does 
not like the way women are being treated in the company and they 
are starting to make some noise about it, or because you just don’t 
like the guy, or because he is gay in a jurisdiction where that is 
not protected by law? There are 100 reasons to launch a pretext in- 
vestigation. One of them may be covered, but the other 99 are not 
protected. 

Mr. Watt. What about this copy of the report in some redacted 
form at some appropriate time? Mr. Reynolds, do you think if some- 
body is investigating me and I am found to not have any problem; 
I am investigated and you have found nothing. Do you think it is 
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okay if I get the report at some point, that maybe then I can take 
it to another employer and say, look, this one turned me down after 
they found that I was not guilty; maybe you will consider me posi- 
tively. 

Mr. Reynolds. Congressman, let me at the outset just caution 
the use of the words “innocence” and “guilt.” In the context of 
workplace investigations, the employer is not the government. They 
do not make findings of whether someone has violated a statute. 
This is important for this reason. What Mr. Maltby may suggest 
in his comments, the provision of the report et cetera, those are 
certainly potentially due process protections, but they are due proc- 
ess protections that are better suited to the context of govern- 
mental action in a criminal prosecution. 

In this context, you have an employer whose obligation is to 
make the best possible judgment based on the best possible inves- 
tigation they can do. They are not held to the standards of reason- 
able doubt, nor should a question of innocence or guilt be at issue. 
The real question is whether or not the employer can do an effec- 
tive investigation to determine whether or not the company’s poli- 
cies have been violated, and sometimes those policies are broader 
and more expansive at the employer’s option than law. 

So under those circumstances, to get to your question, Congress- 
man, my answer would be that there are many circumstances 
where it would not be appropriate to mandate that the employer 
provide a copy of the report. One quick example, there are many 
instances in which the investigation is about a current employee’s 
actions vis-a-vis another current employee. It is the employer’s obli- 
gation to make sure that the complaining employee is not retali- 
ated against. We would not want to be in a position of creating the 
atmosphere, the conditions for retaliation. 

Mr. Watt. I think that is what Mr. Maltby was trying to redact, 
I assume. I do not think we would have any problem with that. 

Okay, I think what you all have succeeded in doing is showing 
us how difficult this area is. Mr. McClain is going to clarify it for 
us. 

Mr. McClain. Thank you, Mr. Watt. I would just like to com- 
ment on some of these issues. 

With regard to providing a copy of the report, Section 609 of the 
FCRA does provide for discovery. So even if Representative 
Sessions’s bill were enacted, anybody that wanted to dispute their 
termination still has the ability to get a complete copy of that re- 
port usually under a confidentiality agreement supervised by the 
court. That is the way they do it, so they can get a copy. 

Mr. Watt. I have to be in litigation before I can get a copy of 
it? 

Mr. McClain. Well, there are reasons for that. The court can 
protect the witnesses, for instance. If there is some indication that 
the names of those witnesses should not be just handed over, so 
then they use the attorneys for insulation. The other thing, regard- 
ing Mr. Maltby’ s statement, talk about unfairness, some employers, 
and I do not have any hard and proof evidence of this, but I do be- 
lieve that sometimes because employers are unable to do a thor- 
ough investigation without telling everyone, because of the Fair 
Credit Reporting Act, I think they sometimes think that the easier 
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way, and it is certainly cheaper than hiring me, the easier way is 
to just get rid of the suspect; find another reason to get rid of him. 
Now, that is unfairness and that is an indirect result of a law that 
is supposed to be protecting these same employees. 

Mr. Watt. I think Mr. Morgan wants to say something. I have 
run out of time myself, but maybe the Chair will let you respond. 

Mr. Morgan. Congressman, in a lot of workplaces, the reality is 
that there are sometimes small groups of employees. My stores, 
which would not be untypical, usually employ 50 employees. With 
a 50-employee work group, even providing a redacted document, it 
will be obvious who did this and that would create additional work- 
place problems that I would really be concerned with. 

Also, regarding Mr. Maltby’s comments, if someone was orga- 
nizing, I cannot fire someone as a pretext under the National Labor 
Relations Act. And also, if there were a history of discrimination 
that was going on, I would be subject to a patterns and practice 
suit under EEOC for that. So there really are a lot of protections 
out there already. 

Chairman Bachus. At this time, I am going to ask Mr. Tiberi to 
take the chair, and I am going to recognize Mr. Crowley, the gen- 
tleman from New York, for questions. 

Mr. Crowley. I thank the Chairman. 

My staff is telling me the second round of panelists is going to 
have more difficult issues, and it is interesting to hear about the 
Vail letter and the FTC, that this seems to be an issue that needs 
to be worked on a great deal more. So I appreciate the testimony 
of all of you here today. 

I thank Mr. Watt for his line of questioning as well. I think it 
amply demonstrated that there is a need to really clarify what the 
intent is. 

I just want to move to another area, and that is concerning the 
seven criteria. Mr. McClain, if I can direct the question to you, and 
then if the other members of the panel could respond in some way, 
I would appreciate it. The consumer credit report certainly includes 
information about a consumer’s credit worthiness, credit standing, 
and credit capacity, and then four other categories: character, gen- 
eral reputation, personal characteristics, and mode of living. 

I understand that for the most part, the financial services indus- 
try generally looks at the issue of credit worthiness, credit standing 
and credit capacity for granting or denial of credit. The terms 
“character, general reputation, personal characteristics and mode of 
living” are used more in investigatory reports that are governed by 
the FCRA. 

As these four criteria are not defined at all under 15 U.S. Code, 
I was wondering if you would both define these terms as you be- 
lieve they are used, as well as let the committee know if these are 
important criteria. And if so, should they be defined in statute to 
prevent such a broad swath of information from being used in in- 
vestigatory and/or credit reports under FCRA? 

Mr. McClain. I think further definition would always be helpful. 
I am not sure to what extent you can do that. The FTC has taken 
the position, and I don’t think wrongfully, that pretty much in any 
report it is very difficult to have a report that does not encompass 
one or more of those definitions. 
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So I do not know if a further definition might help, but I think 
the big issue is whether or not these types of reports should be con- 
sumer reports. I believe rather than trying to define all of these 
things further, if we just made it clear in the law that these types 
of investigative reports are not covered by the FCRA, I think that 
would be appropriate. 

Many of the investigations that we do, we do not necessarily run 
credit reports. Credit reports contain information that would be 
very helpful on embezzlement investigations, particularly when you 
are looking for someone who is living beyond their means. It is a 
flag that indicates you might be on the right track. But in every 
instance, the Sessions bill would not change that. You would still 
have to have the consumer’s written permission before you could 
run a credit report. So we would be able to do other types of inves- 
tigations, but we would not be able to run credit reports. I hope I 
was responsive to your question. 

Mr. Crowley. Would you be in favor of the status quo, then, 
leaving the seven criteria and those four particularly that I men- 
tioned at the end, intact? 

Mr. McClain. We have learned to live with and understand 
what they mean, provided that this general category of misconduct 
investigation is excluded, and it clearly indicates that it is not a 
consumer report, then those definitions would not affect misconduct 
investigations, but they would still affect all of the other investiga- 
tions. 

I do not have any problem with preemployment. We have learned 
to live with that. I think most of the employers have learned to get 
applicants’s permission before they investigate them. That is not a 
problem. It is when you have an existing employee who is 
malfeasant in some respect that you have to investigate. Therein 
lies the problem. 

Mr. Crowley. In all four of these, character, general reputation, 
personal characteristics, mode of living, are these all opinions that 
you derive from information that is given to you? For instance, per- 
sonal characteristics and general reputation, how would you define 
that? 

Mr. McClain. Well, the FTC can say that just about anything 
we do, I mean, if I go down and check Superior Court records on 
someone and they say that that record check is going to possibly 
indicate the mode of living or the characteristics, so I do not know 
how else to get around that. 

Mr. Tiberi. [Presiding.] The gentleman’s time has expired. 

The gentlelady from New York is recognized for five minutes. 

Ms. Velazquez. Thank you, Mr. Chairman, and thank you to all 
the members of the panel for the information that will help us em- 
barking on this comprehensive reauthorization of the legislation 
that is before us. 

Mr. Maltby, employers obviously collect an abundance of data re- 
garding their employees. Some of the data, such as salary, is fur- 
nished to credit reporting agencies and plays an integral part in 
the credit-granting process. Outside of salary and tenure data, 
what sort of data to employers do employers systematically collect 
on their employees? 
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Mr. Maltby. It obviously varies a great deal from employer to 
employer. But if I think back to the days when I was a corporate 
general counsel and had responsibility for the HR function, I can- 
not think of a great deal that I could not find out about one of our 
employees if I were to take a very careful look through the per- 
sonnel file. There is almost nothing that I could imagine that would 
not be in there. 

Ms. Velazquez. How do employers use this information? Do they 
furnish this data to credit reporting agencies? 

Mr. Maltby. Ma’am, I really do not know that for sure. My as- 
sumption would be that if the employee had applied for the loan 
and the employer knew the employee had applied for the loan, the 
employer would provide any information that appeared to be rel- 
evant, but that is strictly an impression on my part. I really do not 
have any hard data to back that up. 

Ms. Velazquez. Mr. Morgan, given your HR experience, could 
you please comment on this as well? 

Mr. Morgan. Yes. We would only give out information to an 
agency if I had written permission from the employee to do that. 
Under normal circumstances, I am not gathering data up and giv- 
ing it out to anyone. As a matter of fact, I see it as one of my great 
responsibilities to the employees to not do that. 

So generally speaking, I would only give out any information as 
long as I had a release from the employee. That also would go for 
reference checks. The reality of life today is that reference checks 
do not exist because no employers are giving out any information. 

Ms. Velazquez. Thank you. 

I would like to ask this question of Ms. Plummer and Mr. 
Maltby. I understand the restrictions that the Vail letter imposes 
on employers. Employers must provide an employee with notice 
that they are being investigated, and also must secure their con- 
sent before an investigator can begin their investigation. 

I also understand that these restrictions can prevent outside con- 
sultants from conducting an effective investigation. What risks to 
the employee do external private investigators pose to employees? 
In your experience, is there a need for enhanced protections when 
a third party conducts these employee investigations? 

Mr. Maltby. Ma’am, I would not go so far as to say that there 
are no concerns for having an outside third party investigator, but 
in general it is probably better off if there is a third party investi- 
gator. There are just too many possibilities for bias or intimidation 
in an internal investigation, particularly if the person being ac- 
cused is fairly far up the corporate food chain. 

Again, I would not want to make that as a blanket recommenda- 
tion, but my blood does not run cold when I hear that a firm has 
brought in an outside investigator, assuming they are a competent 
professional firm. It might be better to bring in someone from the 
outside who does not have all the potential for bias that an inside 
party might have. 

Ms. Velazquez. Ms. Plummer? 

Ms. Plummer. There are no enhanced concerns for the employee 
when a third party is brought in to investigate. In fact, it improves, 
as Mr. Maltby just expressed, the possibility of an impartial and 
fair investigation. In fact, it is to the employee’s benefit to have 
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somebody from outside the company come in to investigate for just 
that purpose. 

Ms. Velazquez. Thank you. 

Thank you, Mr. Chairman. 

Mr. Tiberi. Thank you. 

I would like to thank the panelists from our first panel for testi- 
fying today, and ask the second panel to be seated for their testi- 
mony. Thank you very much. 

Thank you all for coming today. I will introduce the second 
panel, starting from my left, working to my right: Mr. Chris Peter- 
sen, attorney with Morris, Manning and Martin, LLP, on behalf of 
the Health Insurance Association of America; Mrs. Roberta Meyer, 
Senior Counsel, American Council of Life Insurers; Mr. Marc 
Rotenberg, Executive Director, Electronic Piracy Information Cen- 
ter; Ms. Joy Pritts, Assistant Research Professor, Health Policy In- 
stitute, Georgetown University; and last but not least, Mr. Edward 
L. Yingling, Executive Vice President, American Bankers Associa- 
tion. 

Thank you all for being here today. I would like to remind all of 
you that you have 5 minutes to give us your testimony, and it will 
be followed by questions from those who remain here today. I 
would like to start with Mr. Petersen. Thank you for being here. 

STATEMENT OF L. CHRIS PETERSEN, ATTORNEY, MORRIS, 

MANNING & MARTIN, LLP, ON BEHALF OF THE HEALTH IN- 
SURANCE ASSOCIATION OF AMERICA 

Mr. Petersen. Thank you very much, Mr. Chairman, members 
of the subcommittee. 

My name is Chris Petersen. I am a partner with the law firm of 
Morris, Manning and Martin. Today I am testifying on behalf of 
the Health Insurance Association of America. The HIAA is the na- 
tion’s most prominent trade association representing the private 
health insurance system. Its nearly 300 members provide the full 
array of health insurance products, including medical expense, 
long-term care, dental, disability and supplemental coverage to 
over 100 million Americans. 

My written statement focuses on the continuum of federal and 
state privacy laws and the interplay among those various laws. In 
my oral testimony, I will examine these additional privacy laws, in 
conjunction with the Fair Credit Reporting Act, limiting health in- 
surers’ ability to disclose information. As the committee is aware, 
important provisions of the FCRA are up for reauthorization. The 
HIAA supports the reauthorization of the Fair Credit Reporting 
Act. 

The HIPAA privacy rule is the first of these many privacy laws 
that health insurers must comply with. The rule provides that 
those insurers that meet the definition of a health plan may not 
use or disclose protected health information except as permitted or 
required by the privacy rule. In addition, the privacy rule provides 
for six instances under which a health plan is permitted to use or 
disclose information. Most relevant for today’s discussion are the 
permitted uses and disclosures for treatment, payment and health 
care operations, and those uses and disclosures made pursuant to 
an authorization. 
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Health care operations encompass uses and disclosures necessary 
to administer a health plan’s business and provide benefits to cov- 
ered individuals. Many of the health plan’s routine uses would fall 
under this provision. However, disclosing to a financial institution 
for that institution’s operations would not fall under the health 
care operations exception. As a result, the HIPAA privacy rule 
would not allow a health plan to disclose health information to an- 
other financial institution without that individual’s signed author- 
ization for purposes of that financial institution to make credit de- 
cisions regarding the individual that is the subject of the informa- 
tion. 

The HIPAA privacy rule also provides the privacy standards re- 
quirements under the rule. State laws are preempted if they are 
contrary to the HIPAA privacy rule. Therefore, we have to also look 
at state privacy laws to determine how they interact and regulate 
the ability of a health insurer to disclose financial information or 
health information. 

In 1999, Congress enacted the Gramm-Leach-Bliley Act estab- 
lishing a statutory framework for all financial institutions to use 
in disclosing information. The National Association of Insurance 
Commissioners adopted a model law regulating Gramm-Leach-Bli- 
ley disclosures by health insurers at the State level to provide guid- 
ance for State insurance departments in regulating this important 
area. 

That model regulation governs financial disclosures, but the 
State insurance departments went further than the federal law as 
they also regulate disclosures regarding health insurance informa- 
tion. Insurance entities may not rely on the opt-out rule of the 
Gramm-Leach-Bliley Act to disclose nonpublic personal health in- 
formation. Instead, insurance entities must either have the individ- 
ual’s written authorization to disclose the information, or the dis- 
closure must be allowed under the regulation’s permitted excep- 
tions. 

Generally, the regulation allows an insurance entity to disclose 
information in order to service a transaction that a consumer re- 
quests, or to conduct insurance functions, or to make disclosures 
that are in the public good. This regulation was drafted with indus- 
try, regulatory and consumer input, and I believe those exceptions, 
once again, would not allow an insurance entity to disclose health 
information to another financial institution for the purpose of that 
financial institution making credit decisions. 

In 1982, the NAIC adopted a comprehensive privacy model. This 
also regulates insurance institutions and requires that an insurer 
must have an authorization in order to disclose financial or medical 
information or personal characteristics information, as we dis- 
cussed earlier. Once again, you can disclose for insurance functions, 
but you cannot disclose for purposes to another institution for that 
institution’s credit-making decisions without an authorization. 

Finally, there are a whole array of State privacy laws that gov- 
ern sensitive health information, for lack of a better term. These 
laws are additional protections for specific types of information. As 
you look at the HIPAA privacy rule, insurers have to once again 
make a decision: Do these laws provide greater privacy protections, 
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and limit the scope and uses and disclosures of health information? 
If so, health plans must comply with these laws as well. 

In conclusion, a whole array of laws would prevent health plans 
and health insurers from disclosing medical information for credit 
purposes. 

Thank you. 

[The prepared statement of L. Chris Petersen can be found on 
page 96 in the appendix.] 

Mr. Tiberi. Thank you. 

Ms. Meyer? 

STATEMENT OF ROBERTA MEYER, SENIOR COUNSEL, 
AMERICAN COUNCIL OF LIFE INSURERS 

Mrs. Meyer. Thank you, Mr. Chairman, and members of the 
subcommittee. I am very pleased to be here to testify before you 
today on behalf of the American Council of Life Insurers, the prin- 
cipal trade association for life insurance companies. Our members 
sell life insurance, disability income insurance, long-term care in- 
surance, and also provide annuities. 

Life insurers have a very long history of trading highly sensitive 
information, including our policyholders’s medical information, in a 
highly professional and appropriate manner. Life insurers collect 
and use this information in order to serve their existing customers. 
At the same time, life insurers support very strict protections relat- 
ing to the confidentiality of the medical records. Accordingly, we 
strongly support prohibiting the sharing of medical information in 
connection with the extension of credit. 

Today, I am going to very briefly explain why life insurers collect 
medical information and why it is so important to the life insur- 
ance process. I will very briefly provide an overview of ACLI’s pol- 
icy on medical records confidentiality, and then again touch on the 
key elements of the numerous federal and state privacy laws that 
do in fact provide very comprehensive protection to life insurers’s 
policyholder medical records. In today’s world, life insurance pro- 
tection is more important than ever. In order to continue to make 
insurance products and services widely available at the lowest pos- 
sible cost, life insurers must have access to medical information. 
The risk classification process, which is based in large part on med- 
ical information, provides the fundamental framework for the cur- 
rent private system of insurance. In fact, it is largely this process 
which has made it possible for insurers to make their products 
widely available to American consumers today. 

ACLI’s privacy policy, as I said before, provides for very, very 
strict limits on insurers’s ability to both obtain and disclose con- 
sumer medical information. The principles also support a prohibi- 
tion on the sharing of policyholders’s medical information with a fi- 
nancial institution for purposes of determining eligibility for credit, 
even if in fact that financial institution is an affiliate of the in- 
surer. 

I would now like to speak very quickly to the various federal and 
State laws. Mr. Petersen has spoken to some of them already, so 
I will just touch very briefly on the key elements of those provi- 
sions. First, under the Fair Credit Reporting Act, medical informa- 
tion may be a consumer report because it does in fact bear on the 
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consumer’s personal characteristics and is used as a factor in deter- 
mining an individual’s eligibility for insurance. However, medical 
information is afforded special status under the FCRA. 

Medical information can be disclosed by a consumer reporting 
agency to an insurer only in connection with an insurance trans- 
action and only with the consumer’s consent. Insurers believe that 
the FCRA is critical to their business. It in fact facilitates wide- 
spread availability and affordability of insurance today. 

ACLI member companies also strongly support the privacy provi- 
sions of the Gramm-Leach-Bliley Act. As Mr. Petersen has already 
indicated, medical information under that Act is treated as non- 
public personal information, and may only be disclosed by a finan- 
cial institution provided the individual is given notice of the shar- 
ing and given the opportunity to opt out of the sharing. 

The only circumstances under which notice and opt-out do not 
need to be provided is when the information is shared for oper- 
ational insurance business functional purposes or in connection 
with joint marketing agreement. In fact, state privacy laws gen- 
erally go further than this and require insurers to obtain an opt- 
in for the sharing of medical information. 

In fact, when the National Association of Insurance Commis- 
sioners and the States were first developing and then adopting the 
State laws to enforce and implement the Gramm-Leach-Bliley Act, 
the ACLI member companies strongly expressed the view that 
medical information should be afforded increased protection, given 
its highly sensitive nature. 

Both with the NAIC and throughout the country, as the States 
have considered adoption of the NAIC model, Gramm-Leach-Bliley 
confidentiality regulation, the ACLI has firmly expressed its sup- 
port for the privacy provisions, medical records provisions of that 
regulation, which provide that in fact before a policyholder’s med- 
ical information may be disclosed, there has to be obtained by the 
insurer the authorization or the opt-in of the individual. 

Similarly, the old NAIC model privacy act, as it is called, which 
was enacted before Gramm-Leach-Bliley, would require the opt-in 
of an individual before his or her medical information could be 
shared with a non-affiliated third party, unless in fact the informa- 
tion was again being shared for operational insurance business 
functions. 

Mr. Tiberi. If you could wrap up, Ms. Meyer. 

Mrs. Meyer. I can. Thank you very much. 

The HIPAA rule, similarly, even though the HIPAA rule does not 
directly impact on life and disability income insurers, it would in 
fact require that a health care provider obtain the consent of the 
individual before an individual’s medical records may be disclosed 
to a life or disability income insurer. 

Finally, Mr. Chairman, we appreciate the opportunity to testify 
today. We strongly support strict medical records privacy protec- 
tions, and would strongly support a prohibition on the sharing of 
medical information for purposes of determination of eligibility for 
credit. 

Thank you. 

[The prepared statement of Roberta B. Meyer can be found on 
page 72 in the appendix.] 
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Mr. Tiberi. Thank you. 

Mr. Rotenberg? 

STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, 
ELECTRONIC PRIVACY INFORMATION CENTER 

Mr. Rotenberg. Thank you very much, Mr. Chairman, members 
of the committee. 

My name is Mark Rotenberg. I am Executive Director of the 
Electronic Privacy Information Center. I have taught information 
privacy law for many years at Georgetown. I also chair the Amer- 
ican Bar Association’s Committee on Privacy and Information Secu- 
rity, although I am testifying today on behalf of myself and not on 
behalf of the ABA. Also with me this morning are Chris Hoofnagle, 
Deputy Counsel at EPIC, and Anna Slomovic, our Senior Fellow. 

I am very grateful to you and the members of the committee for 
looking at the issue of medical record privacy. This is clearly one 
of the top privacy concerns for consumers in the United States. I 
think the particular challenge that you face this morning is trying 
to understand the relationship between three different regulatory 
regimes, and whether or not they adequately safeguard the privacy 
of medical records, particularly when they may be made available 
to employers. 

Now, the HIPAA privacy rules, which have been discussed ear- 
lier, do a good job of providing privacy protection for covered enti- 
ties, which are typically the health care plans. But the HHS under- 
stood that HIPAA could not be generally extended to employers, 
and that protection for that type of use of personal information 
would have to be found elsewhere. 

The Fair Credit Reporting Act, while it recognizes certain protec- 
tions for medical information, does not in fact go as far as the 
HIPAA rules, which set out a separate category of protected health 
information. The Gramm-Leach-Bliley rules do not speak directly 
to the protection of medical record information. Other means were 
needed to try to safeguard the protection of medical information 
after passage of Gramm-Leach-Bliley. 

Where does that leave us today? I would like you to consider the 
following scenario. Imagine a prospective employee who is seeking 
a job and the employer asks this person to provide consent for ac- 
cess to the credit report, which is done increasingly today, both 
through standard employment practices and also through obliga- 
tions imposed by federal statute. The employee, believing she has 
a fine credit report and that there is nothing there that would 
produce an adverse determination, signs the consent. 

Now, it turns out that the credit report may in fact provide infor- 
mation from which the employer could infer medical care or med- 
ical services that she has received because, for example, she has 
obtained credit from a neonatal clinic for fertility drugs, an expen- 
sive procedure and something where people might quite likely ob- 
tain credit and establish what would be considered on the credit re- 
port a trade line. From this, the employer may be able to infer 
some information about her intent to have children. 

As a general matter in employment law, it would be improper to 
use that information in the employment determination, but it is an 
example of how information could be made available through a 
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credit report to an employer that the HIPAA rule would otherwise 
try to protect, but could not protect in this instance because the 
employer is not in fact a covered entity under the HIPAA rules. 

Now, I think there are legislative approaches to try to solve this 
problem. But I want to suggest to you more generally, particularly 
in the context of the Fair Credit Reporting Act and the many 
issues that you are considering in this session, that it is particu- 
larly important to understand the role that the States play in safe- 
guarding the right of privacy. I think we have been a little bit too 
quick over the last few years to look for national uniform solutions 
that effectively restrict the ability of State regulators to safeguard 
the interests of consumers when these types of issues arise. 

Returning again, for example, to the example of medical privacy 
under Gramm-Leach-Bliley, this was a problem that was dealt with 
by the National Association of Insurance Commissioners. It was in 
fact the NAIC model guidelines promulgated after Gramm-Leach- 
Bliley that provided a framework for good state regulations in- 
tended to safeguard the privacy of medical information that GLB 
did not otherwise cover. 

But more generally, if you look at the development of privacy law 
in the United States over the last 30 years, invariably what you 
see is that Congress passes a baseline standard to provide a basic 
level of protection to protect privacy interests for consumers across 
the country, and allows the States to regulate upwards, to provide 
more protection when they identify new problems that perhaps 
Washington cannot get to as quickly. 

Sometimes the State efforts succeed, in which case they will be 
followed by other States. Sometimes the State efforts fail, in which 
case they will be disregarded. I think this is precisely what is 
meant by the concept of the States being the laboratories of democ- 
racy. 

So I would urge you today as you consider medical privacy issues 
in the context of financial services, and more broadly the impor- 
tance of the Fair Credit Reporting Act, that you safeguard the abil- 
ity of the States to protect the interests of consumers. I think it 
would be a mistake to allow the preemption loophole to be ex- 
tended beyond this Congress. 

Thank you very much. 

[The prepared statement of Marc Rotenberg can be found on 
page 146 in the appendix.] 

Mr. Tiberi. Thank you, sir. 

Ms. Pritts? 

STATEMENT OF JOY PRITTS, ASSISTANT RESEARCH PRO- 
FESSOR, HEALTH POLICY INSTITUTE, GEORGETOWN UNI- 
VERSITY 

Ms. Pritts. Good morning, Mr. Chairman and members of the 
Subcommittee on Financial Institutions. I would like to thank you 
for this opportunity to testify today on medical information and 
how it is protected in the financial services area. 

I would like to incorporate everything that Mr. Rotenberg just 
said into my testimony, because I think he said it so well. But I 
would also like to emphasize that this is an area that consumers 
are very concerned about. They do not want their medical informa- 
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tion shared in the financial service area without their advance per- 
mission. 

In particular, there is a Gallup survey which was done in the 
year 2000 which showed that fully 95 percent of Americans said 
they did not want their banks to have access to medical record in- 
formation without their advance permission. This is a consistent 
trend, too. It is not something that has just happened. It is con- 
sistent. It is persistent. People are concerned. 

There is no question that those in the financial service industry 
collect and use medical information for legitimate uses in a variety 
of different contexts. From the written testimony that was sub- 
mitted, many of those in the financial services industry say that 
they believe, and as we have heard earlier from Ms. Meyer, that 
they believe that it is improper to use in particular health informa- 
tion for credit purposes. 

These are important policies that the financial services trade as- 
sociations have in place and many do subscribe to them, but poli- 
cies are not enough. The consumer cannot enforce the policy. You 
cannot take it to court. More important, I think, is also the fact 
that policies can change. Fifteen years ago, you would have never 
seen an insurer using a credit score for underwriting purposes. 
There are many instances in which health information can lead 
people to financial distress, so what is to prevent in the future from 
people using health information for credit purposes? What we real- 
ly need are adequate legal protections. The time to put them into 
place is now, before the sharing of this type of information is used 
consistently as a business practice for determining credit purposes 
and for other purposes that medical information really was not in- 
tended. 

One of the things that we really saw when the HIPAA privacy 
regulations were being drafted was a very persistent problem that 
people had been using health information for a long time in man- 
ners that health care consumers really did not understand and 
know about. Yet because it had become an established business 
practice, it was in many ways difficult to control it. The horse was 
out of the barn and there was no getting it back. 

The problem I see is that the laws that we have today are inad- 
equate. There are a lot of them, but there still are a number of 
loopholes. For one thing, they do not cover everyone who holds and 
uses health information in a commercial-type context. They set dif- 
ferent standards and they are often inadequate for using and shar- 
ing health information. And where they overlap, there is confusion 
as to which law prevails. It is that last point, which I think is fairly 
confusing to a lot of people, but which I also find to be fairly dis- 
turbing. 

I think that the FCRA and GLBA, the Gramm-Leach-Bliley Act, 
are particularly problematic from a health consumer’s point of 
view. They govern the sharing of financial information which can, 
by implication, and often does include medical information in the 
financial services industry. 

The Gramm-Leach-Bliley Act allows the sharing of financial in- 
formation, including medical information, among affiliates without 
the permission of the consumer. It does provide for notice, but as 
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anybody who has received the scores of privacy notices from finan- 
cial institutions knows, those notices are often incomprehensible. 

This type of sharing of health information is precisely the activ- 
ity that consumers have repeatedly and strongly said they do not 
want. They do not want insurers and banks looking at it and then 
asking them after the fact whether this is something that they 
really would permit. 

The states have stepped up to the plate. They have filled a lot 
of these gaps, particularly in the health insurance area. They have 
been very, very much advanced as to protections that they offer. 
But the concern is that these laws are subject to attack. 

In particular, the problem here lies, and this is a very kind of 
wonky discussion I am going to launch into, but the problem lies 
with the fact that GLBA has essentially two preemption provisions. 
It allows states to have stronger laws, but then it also incorporates 
all the provisions of the Fair Credit Reporting Act. The Fair Credit 
Reporting Act has a provision that prohibits states from enacting 
laws with respect to the exchange of information sharing among af- 
filiates. 

There have been a number of articles in some trade association 
magazines and law reviews that say what this effectively does is 
prevent States from requiring, for instance, an opt-in for the shar- 
ing of affiliate information. We think that this really needs to be 
clarified and the time to clarify it is now. There is no need to wait 
for a court to make that sort of decision. 

In summation, I would say that health care consumers prefer 
and demand that they have an opt-in for sharing of medical infor- 
mation, including information among affiliates; that the Fair Credit 
Reporting Act preemption provision should be allowed to expire, it 
is merely causing confusion; and that the Congress needs to clarify 
when you have these three different statutes, HIPAA, Gramm- 
Leach-Bliley and the Fair Credit Reporting Act, where they over- 
lap, and there is some confusion as to which one is going to prevail, 
because that is not in the Congressional Record whatsoever. 

Thank you. 

[The prepared statement of Joy Pitts can be found on page 113 
in the appendix.] 

Mr. Tiberi. Thank you. 

Mr. Yingling? 

STATEMENT OF EDWARD YINGLING, EXECUTIVE VICE 
PRESIDENT, AMERICAN BANKERS ASSOCIATION 

Mr. Yingling. Thank you, Mr. Chairman. 

The ABA appreciates the subcommittee’s holding hearings on the 
Fair Credit Reporting Act and the issue of protecting consumer in- 
formation, including medical information. Before I address medical 
privacy specifically, I would like to briefly outline the philosophy of 
the banking industry regarding the use of information and the im- 
portance of preserving FCRA for our economy. 

First, the cornerstone of banking is preserving the trust of our 
customers. That only can be accomplished by protection and re- 
sponsible use of information. Not only is protecting privacy the 
right thing to do, the highly competitive financial market demands 
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it. No bank can be successful without having a strong reputation 
for protecting the confidentiality of consumer information. 

Second, we do believe preserving a national credit reporting sys- 
tem is critical to the U.S. economy. The strength and resiliency of 
the U.S. economy is linked to the efficiency of consumer credit mar- 
kets. U.S. consumers have access to more credit, from more 
sources, and at lower cost than consumers anywhere else in the 
world. 

What makes this possible is a nationwide, seamless, and reliable 
system of credit reporting. Such a system would be impossible 
without the Fair Credit Reporting Act. For consumers, it means 
they can walk into an auto dealership and drive off with a new car 
within an hour. They can move across the country and open a 
banking account without hassle. They can quickly refinance their 
mortgage loan from lenders across the country to take advantage 
of falling interest rates. 

As is pointed out in a study cited in my testimony, one of the 
more remarkable achievements of the FCRA is the increased access 
to credit for lower-income households. By enabling complete and ac- 
curate credit histories, FCRA has helped extend credit to millions 
of Americans who otherwise might not have been able to get it. 
Simply put, the U.S. credit system works and is the envy of the 
world. The reauthorization of FCRA, and in particular the preemp- 
tion of State laws which assures a national, consistent and com- 
plete system, is very important. 

Turning to medical information, it is obvious that such informa- 
tion is at the top of the list of personal information that consumers 
worry about. Three years ago, we convened a select group of bank- 
ers to work on privacy issues. Regarding medical privacy, the task 
force believed it important to reassure the public that, to the extent 
banks possess medical information on a customer, it will be held 
sacred. 

Concern has been expressed that lenders might use medical in- 
formation obtained elsewhere in making a credit decision. ABA’s 
position is that such use of medical information in a credit decision, 
obtained without the knowledge and consent of the borrower, is 
just plain wrong. 

There are, of course, a limited number of instances where med- 
ical information is directly relevant, for example in loans to sole 
proprietorships or small businesses where the franchise value of 
the firm hinges on one or two key individuals. In such cases, insur- 
ance on the key individuals might be required. 

In those instances, the prospective borrower will know what in- 
formation is required and can expressly consent to it being ob- 
tained and used. Otherwise, the lender should not need such med- 
ical information. Finally, any such information obtained should be 
kept strictly confidential by the lender. 

Mr. Chairman, we appreciate the opportunity to testify today, 
and I would be happy to answer any questions. 

[The prepared statement of Edward L. Yingling can be found on 
page 162 in the appendix.] 

Mr. Tiberi. I don’t think I have ever seen that before. You have 
1 minute and 20 seconds to spare. 

Mr. Yingling. I am the last guy before lunch. 
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[LAUGHTER] 

Mr. Tiberi. Thank you, Mr. Yingling. 

Thank you, panel, for your testimony today. 

I am going to defer my 5 minutes for questioning. I am going to 
call on the gentlelady from New York for 5 minutes. 

Mrs. Kelly. Thank you. 

We have been talking today about the use of information that is 
collected with regard to people. I would like to just ask anyone on 
the panel, who is collecting this? Where do you go to get this infor- 
mation? There was at one time a situation I recall, for instance 
with medical information, there was only one company that carried 
it. It was all in one massive computer, so everybody went there to 
get that information. Where do you go to get this information about 
people? 

Mr. Petersen. Health insurers typically get most of their infor- 
mation first, from an application and/or a claim. So that would be 
the starting base. Some of the insurance industry would use a 
clearinghouse that you are referring to. A lot of the health insur- 
ance industry does not use that clearinghouse because of the cost- 
benefit analysis. 

So for health insurers, it would be primarily the application proc- 
ess. Then they would get an authorization, and they have to get an 
authorization both under State law and federal law, to collect infor- 
mation from other sources. Those sources would be identified in the 
authorization. It would be primarily providers, other insurers, and 
maybe in some limited circumstances this clearinghouse that you 
are referring to. 

Claim information, if it is a claim, that information generally 
would come first from the claim submitted by the individual, but 
most generally from the providers themselves. 

Mrs. Kelly. In that clearinghouse that you are talking about, 
where they hold the information, does a consumer have the oppor- 
tunity to change medical information? 

Mr. Petersen. Once again, I am speaking from the perspective 
of health insurers, both under the National Association of Insur- 
ance Commissioners’s 1982 NAIC Act, people have a right to access 
and amend their information. The clearinghouse would be one of 
the covered entities under that Act. 

Now, that Act is only in 16 states. It was the first comprehensive 
privacy attempt at the State level. A lot of very significant popu- 
lation states have it, but it is only 16 states. The HIPAA privacy 
rule would allow you to get access and amend your information, so 
you would have access to the information that the health insurer 
had, and if the health insurer disclosed it, you would have to cor- 
rect the information down the disclosure chain. 

Mrs. Kelly. How complicated is that? How easy is it to find out 
who has your information? 

Mr. Petersen. Once again, from the health insurance perspec- 
tive, you have to make an accounting of disclosures, both under 
HIPAA and under the 1981 Act. So if you made disclosures to those 
kinds of entities, you would have to tell them they had it, and if 
you made a correction, you would have to tell them you made a cor- 
rection. If you wanted a correction and me, the insurance company, 
disagreed, you would have to allow that individual to put some- 
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thing in the record stating that you disagreed with the failure to 
make the correction. 

This is all fairly recent, though, so it is not well-tested as to how 
well it works, to be quite honest, under the HIPAA rule because 
April was the effective date, so we do not know how well it works, 
but they have a process, I think, to address concerns of the past 
in that area. 

Mrs. Kelly. Thank you. 

Ms. Pritts, do you want to speak to that? 

Ms. Pritts. Yes. I think that your original inquiry was directed 
towards the Medical Information Bureau. Is that correct? The Med- 
ical Information Bureau is essentially like a credit reporting agency 
for health information. It is a national bureau that I believe other 
insurers, other than health insurers, can rely on for obtaining more 
or less the status of health information for individuals. 

MIB reached an agreement with the Federal Trade Commission 
a number of years ago that its reports would be considered to be 
consumer reports. So individuals have the right now to obtain a 
copy of their report from MIB, much as they would a credit report 
from a credit reporting agency, for a fee of I think it is $8.50 now. 
They can review that information and they can request that that 
information be corrected if it is inaccurate. They can try to supple- 
ment that record if it is incomplete. 

As a matter of practice, people who have actually attempted to 
use this process have met with mixed degrees of satisfaction with 
it. 

Mrs. Kelly. What I am really driving at is if you are in the proc- 
ess of questioning your medical record that someone else is holding, 
and a financial institution is also getting some of that information, 
is that then flagged to the financial institution so that the financial 
institution knows that there is a question about something on your 
record? There are some things on people’s records that they simply 
do not want others to know, and yet you must sign, in certain situ- 
ations, you feel you must sign a disclosure form. 

So my question is, if you are in the process of questioning the 
great computers in the sky that hold all of this information about 
your credit and your medical records, then how is that transmitted 
to you as institutions for your use so that you know that these are 
issues that are at question? 

Ms. Pritts. Under HIPAA, what happens is, as Mr. Petersen 
was explaining, the individual has the right, first of all, to look at 
their own health information, and we would urge health consumers 
to do that so you have an idea before you sign one of those author- 
ization forms what exactly your financial institution would be re- 
ceiving. If you see something in there that you think is erroneous, 
under HIPAA you can ask your doctor to correct that information. 

Now, there are a number of circumstances under which they do 
not have to do that. What they do is, the patient can also submit 
a statement saying, “I still think that this information is wrong.” 
At that point, the health care provider is supposed to forward that, 
either they correct it or they deny it, and we are going to assume 
that the patient has supplemented and said, “I still disagree with 
you.” At that point, they are supposed to forward that information 
on to places like perhaps a financial institution. 
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If a patient has said, “Look, I am worried; I think this informa- 
tion might be getting into my credit report,” they would have to 
identify them as somebody that this information should be for- 
warded to. 

Mrs. Kelly. I am out of time, but I hope you will give me my 
own time to further pursue this a bit. 

Thank you. 

Mr. Tiberi. Mr. Lucas? 

Mr. Lucas of Kentucky. Thank you, Mr. Chairman. 

I have found this testimony very enlightening. In my prior life 
for some 32 years, I was involved in insurance underwriting and 
also banking, so I am a little conflicted here about some of the 
things that I hear. 

I can see, Mr. Yingling, from the bankers’s standpoint, particu- 
larly the analysis used of a small business owner, this medical in- 
formation is very relevant in making a credit decision. I also can 
appreciate from the fact of people wanting privacy that there is 
some information that may get out there that they do not want 
people to know, that is not relevant to the decision. 

I guess from a public policy standpoint, I think that we need to 
reauthorize the preemption. But I would be interested in what 
kinds of things we could do to tweak this so we could hopefully 
make everybody reasonably comfortable, because as it is now, we 
have some problems. So does anybody want to take a shot at that? 

Mr. Yingling. Congressman, I would just say that the only time 
in the credit -granting process that we believe medical information 
ought to be used is where two criteria are met. One is that it is 
relevant; and two, that you get the express consent of the potential 
borrower. 

Now, this is really tight. It is not just a tight criteria. It is not 
opt-in. It means that for this specific transaction only, you are 
going to get the permission of the borrower to get specific informa- 
tion, so that the borrower would have the ability to say, for exam- 
ple in Ms. Kelly’s question, “You are not going to some third party 
that has all this information in a computer. You can go to my in- 
surance company and make sure I have an insurance policy. I will 
show you the insurance policy that protects you in case I die and 
I am the franchise.” 

Or in rare instances, where there is a specific health question, 
you can go to my doctor and get specific information. But it seems 
to me that you have a real governor here in that the borrower has 
the ability to say, “Yes, I will give you the information and I will 
only give you that specific information, and here is where we are 
going to agree to go get it.” 

Mr. Lucas of Kentucky. What if you had a situation of a small 
business owner and he found out that he was terminally ill. So he 
thought, “Well, I will go to my bank and get this line of credit set 
up that will help my wayward son who is not that good a business- 
man; I will get this set up for him.” And you know about the infor- 
mation, you find out about it, but he has withheld it. What do you 
do in a situation like that, where you know, you have gotten that 
information, but he has not given you that information? How do 
you deal with that? 
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Mr. Yingling. Well, I think that would depend on how you get 
it. I do not think the lender has the right to go out and ask for 
the information without the permission of the borrower. I guess 
you could conceive of a small town where everybody knows it and 
so it is common knowledge that there is a health problem or some 
other problem. I guess from my point of view, it is hard to say the 
banker could not act on that general knowledge. But the lender 
should not be in a position of going out and fishing without the per- 
mission of the borrower. 

Mr. Lucas of Kentucky. Okay. Any other thoughts? 

Mr. Rotenberg. Well, Congressman, I think you put it very well. 
It is a public policy issue. Certainly, one of the things that privacy 
laws try to do is to allow people to participate in the marketplace, 
to obtain credit, to pursue employment, without being required to 
disclose a great deal of personal information, because many people 
would rightly feel that if they were forced to say everything about 
themselves, they might choose not to go for the loan or they might 
choose not to try to get the job. 

I have always believed the privacy laws are actually good for the 
economy because they give people the safety and assurance that 
they can pursue economic opportunity without having to disclose a 
lot of personal information. Now, I think in the years ahead, this 
problem is going to become quite a bit more serious. Diagnostics 
are becoming more precise, more advanced. There has been more 
commercialization of this information. It is easier for employers to 
get access to. Our health care system is being radically trans- 
formed by new technology. 

I think it is very much appropriate for the Congress at this point 
to draw some lines and to say the information that might be appro- 
priate in the diagnostic setting in the delivery of medical care for 
an individual is not necessarily information that we should make 
available to employers, even though they may be interested. 

Let us be honest on this point as well. Employers would probably 
like to know a great deal about their employees. But I think it is 
very appropriate for Congress in those situations to say, that per- 
son is your employee; they are not your patients, and there is only 
certain information that you are going to learn about that person. 

Mr. Lucas of Kentucky. Okay. Anybody else? 

Mrs. Meyer. I might say on behalf of the life insurers that we 
believe that extension of the FCRA affiliate-sharing provisions is 
absolutely critical. Just as the FCRA has made it possible for credit 
to be widely available in the United States, it has also very much 
facilitated the availability and the affordability of life insurance 
products across the country. 

It is essential, as I stated in my testimony, that insurers be able 
to obtain and use medical information in order to assess risk, in 
order to make life insurance products widely available and afford- 
able. At the same time, we recognize and very much appreciate 
consumers’s particular concerns about medical information. For 
that reason, we do in fact support laws and regulations that would 
actually impose strict requirements and limits on our ability to in 
fact obtain and disclose this information. We very much support a 
prohibition on the sharing of medical information to determine 
credit. 
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Mr. Lucas of Kentucky. Thank you. 

Mrs. Meyer. Thank you. 

Mr. Tiberi. Thank you. The gentleman’s time has expired. 

I am going to recognize the gentleman from Ohio for 5 minutes. 

Mr. LaTourette. Thank you, Mr. Chairman. 

Mr. Petersen, I apologize. I was not in the room for your testi- 
mony, but I have read it and I have a question that has nothing 
to do with fair credit reporting, and just wonder, as a representa- 
tive of the health insurance industry, if you have an observation. 

When I talk to the small business folks in my district about the 
implementation of HIPAA and the law of unintended consequences, 
they are describing a situation that because, not that they want to 
root around in their employees’s medical information, but because 
when they approach a health insurer they can only share or know 
so much information. They are finding that their insurance pre- 
miums are dramatically increasing because the insurance company 
is not aware of the risk that they are being asked to insure. Is that 
a reasonable observation by these people? 

Mr. Petersen. It is difficult. First off, for your small employers, 
I feel for them because I represent large insurers who have the ab- 
solutely same responsibilities as very small employers, and indi- 
vidual doctors. They all have to comply with this very large rule, 
and not all of them can afford to hire attorneys. So it is a very dif- 
ficult problem. 

There is one problem about how you share information as an em- 
ployer. The rule sets up group health plans, plan sponsors and em- 
ployer requirements, all for the separate sharing of information. 
Unless you provide notices and put in policies and procedures, you 
may have restrictions on your ability to obtain and/or disclose in- 
formation. 

I have heard of situations where small employers are finding it 
difficult to sometimes have one health plan disclose to the other 
health plan, or just to get the information generally and to disclose. 
From a health insurance perspective, if you do not have the infor- 
mation, a conservative underwriting approach is to, unfortunately, 
consider that it is probably bad. 

There has been some state activity. A few states are now enact- 
ing laws requiring one health plan to give it directly to the other 
health plan, so that the employer is not in the middle. They can 
just tell the one insurance company, give my information to the 
other insurance company. I think those types of laws will help ad- 
dress it, but it is a 50-state problem. 

Mr. LaTourette. Thank you. 

Mr. Rotenberg, I was in the room for your testimony and I heard 
you talk about a credit report of a prospective employer that might 
have some billing or a credit application for fertility. I think you 
said that the employer could not make an inference, which would 
be improper in the employment setting anyway. 

But couldn’t the same inference be drawn, since we are talking 
about inferences, by an employer who was interviewing a woman 
who was 22 years old who just got married, from the fact that on 
her credit report there was testing for fertility, that she may want 
to in the foreseeable future start a family? 
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In both of those inferences, if you reach the conclusion that she 
was desiring to get pregnant, that would not, under the laws al- 
ready on the books, be a disqualifier. It would be an impermissible 
reason to disqualify someone for employment. Is there a better ex- 
ample or a greater danger that you see than the one that you cited 
to us in your testimony? 

Mr. Rotenberg. Congressman, I actually think the example is a 
fairly good one because it is a medical service that is increasingly 
likely to appear on credit payments. In fact, when the Federal Re- 
serve took a look at credit reports, they were very interested in 
their study of February 2003 this year to find a very large number 
of credit payments related to medical services. 

So we could go into a bit more detail. We could imagine certain 
types of clinics that provide help for people with stigmatizing condi- 
tions. But I think the critical point is that there is information 
made available today through the credit report that would other- 
wise be covered under HIPAA, but for the fact that the employer 
is not a covered entity under HIPAA. That is the statutory prob- 
lem. 

Mr. LaTourette. And Ms. Pritts, as I read your testimony, there 
was a reference that I did not hear you talk about, but there was 
apparently a banking executive that served on his county health 
board, is that right?, and you cite that as an example of bankers 
using medical information for making credit decisions. 

My question is, based upon your study of HIPAA, wouldn’t the 
conduct of, I assume it is a fellow, but this banker prior to 1993 
be a violation of HIPAA today? And if not, why not? 

Ms. Pritts. He is not a health care provider, and it is not clear 
where he was getting his health information from. He was serving 
on a board, I believe. It is not clear whether that registry would 
be a covered entity under HIPAA, because of the definition of 
health care provider. 

Mr. LaTourette. Okay. But you would agree with me if in fact 
the information was being supplied by a health care provider, that 
it would be covered, and your answer is that it would? 

Ms. Pritts. Well, if it is supplied by the health care provider to 
a registry, it then becomes uncovered by HIPAA, so then it is not 
protected. 

Mr. LaTourette. Thank you very much. 

Thank you, Mr. Chairman. 

Mr. Tiberi. Thank you. 

Mr. Crowley is recognized for 5 minutes. 

Mr. Crowley. Thank you, Mr. Chairman. 

Let me just take Mr. Rotenberg’s example to another level. I 
would ask Mr. Petersen and Ms. Meyer or Ms. Pritts to chime in. 

If an individual were to obtain the TB test or an AIDS test or 
even a mammogram and pay for that using a credit card, would it 
be possible for that information then to be shared with affiliates? 
If so, is that possibly exposing what we determine as risky behav- 
ior in one’s personal behavior that could be used against them to 
deny them insurance, both health and PC? Or even taking it to a 
further extent, is it possible that information could be used to deny 
them employment? 
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Mr. Petersen. I will take the first shot at the question. The 
mere fact that they charged the information from a health insur- 
ance perspective, if they then submitted that charge to the health 
insurer for reimbursement, that would become protected health in- 
formation and would be subject to all the protections I described. 

The 1982 Act, you asked earlier about avocation, lifestyle, rep- 
utation, the 1982 Act of the NAIC provides special protections for 
that information as well. They essentially treat it for health pur- 
poses like marketing. So if you inferred something from that, you 
also could not share that for marketing with a third party. 

Mr. Crowley. What if you are an affiliate with the company? 

Mr. Petersen. You have limitations under HIPAA about how 
you can share protected health information from marketing. You 
can share it to do upgrades to existing products, for instance, but 
very limited ability to use that. So if you just had that claim infor- 
mation, I think you would be restricted on how you could use it 
within the internal, even within affiliates, or internal uses. So you 
would have limitations on how you could do it. 

Under HIPAA, if it was not a part of the hybrid entity, for in- 
stance if you had an affiliate that was a life company, you could 
not disclose at all to the life affiliate. It would have to be health 
to health, and for limited ways to share it for marketing. 

Now, on the other hand, of course, if it was something that came 
up in the application process, so you paid for it with your credit 
card, but it came up in the application process, then the health in- 
surance company could use that information. 

Mr. Crowley. They could use it. Well, then, Ms. Meyer, would 
you like to respond? 

Mrs. Meyer. Yes, thank you. 

If in fact you are talking about the bank sharing information 
with an insurance affiliate. Under the Fair Credit Reporting Act in 
fact that probably would be an experience in transaction informa- 
tion, so that the bank could share it with the life insurance affil- 
iate. Although, I have got to tell you, I am hard-pressed to think 
of an actual situation where a bank would be sharing information 
of that nature, of a charge with a life insurance company. 

But say in fact the life insurance company did get the informa- 
tion, then once the life insurance company gets the information, 
then it would first, I cannot even think of the real-world where it 
would get it, so that it would even be an issue, because I cannot 
imagine they get that information in connection with underwriting. 

But if in fact an insurer ever did get the information, then the 
whole ambit of all the body of laws dealing with insurer’s ability 
to disclose information would come into play, notably the NAIC 
model regulation, which requires an opt-in for the sharing of med- 
ical information, unless it is for an insurance business function, or 
the old NAIC model Act, which again requires an opt-in. Then you 
would possibly get into the Fair Credit Reporting Act, which would 
probably require an opt-out for the sharing. 

But in fact, insurers that do business all over the country adhere 
to the NAIC model Act and regulation, essentially in all States in 
which they do business. So that essentially ends up being the law 
of the land. But again, getting to the very beginning, I am hard- 
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pressed to think of a situation where a life insurer would actually 
be getting that type of information from a bank. 

Mr. Crowley. You may be hard-pressed, but it not inconceivable 
that something like that could happen in the future. 

Mrs. Meyer. I just don’t know how. 

Mr. Crowley. We don’t know where this is going, actually. 
Things are evolving in terms of information and the need for more 
information to make decisions based on one’s personal life, espe- 
cially risky business. 

Mrs. Meyer. I guess conceivably, but that flow of information is 
something that I have not seen. 

Mr. Crowley. Difficult. Okay, Mr. Chairman, just one more 
question, if I could, for Mr. Yingling. 

I missed your opening statement, but it was pointed out to me 
by my staff that it says, “With respect to the banks, medical infor- 
mation should only be used for the express purpose for which it is 
provided and should not be shared without the express consent of 
the consumer.” Are you advocating a system of opt-in for health in- 
formation, as opposed to opt-out? 

Mr. Yingling. As I mentioned in a previous answer, I don’t think 
it really is opt-in. I think it is stricter than opt-in. An opt-in regime 
could be a general approval to seek information or to use informa- 
tion, and it could be prospective and cover additional transactions. 

When we say with the approval and consent of the potential bor- 
rower, what we mean is a specific approval of the information that 
is needed for the application in front of you, so to speak. So it actu- 
ally I think is stricter than opt-in. 

Mr. Crowley. Thank you. 

I thank the chairman. 

Mr. Tiberi. Thank you. The gentleman’s time has expired. 

Without objection, the gentleman from Illinois, Mr. Emanuel, 
may be recognized for the purpose of questioning witnesses under 
the 5-minute rule. Do I hear an objection? Not hearing an objec- 
tion, Mr. Emanuel? Mr. Emanuel is recognized for 5 minutes. 

Mr. Emanuel. Mr. Chairman, thank you. As a member of the 
full committee, I ask unanimous consent to ask questions. Thank 
you. 

First of all, thank you for holding this hearing and putting this 
panel together. To follow up on this set of questions and your an- 
swer, I think we are at a critical point in finding a balance here 
that allows commerce and information to flow freely, but also give 
consumers a certain level of protection in this storm that they have 
a safe harbor. As you said, it is more strict than opt-in or opt-out. 
I actually am working on a bill creating a blackout as it relates to 
medical information. 

We have to create, I think, for consumers, because it touches on 
what Ms. Pritts said earlier as it relates to information, what con- 
sumers most care about is their medical privacy. If you look at it 
as a set of issues, you go down the ladder of what they care about, 
at least in the data and the research I have seen, and obviously 
I am dealing with five experts here who may show counter-data, 
but medical information is what they care most about in the sense 
that they feel vulnerable and they feel that their privacy has been 



43 


violated, and then forces greater than they can control and have ac- 
cess to things about them that are not relevant. 

With that, and again the world we live in is changing by the time 
we deal with this, and we are trying to set up some set of rules 
going forward that do not allow the different legislation that we 
have passed in the past, at least to set a clear mark of what the 
rules of the road are going forward. 

Let me ask a question, and this is for anybody, so have at it. I 
have a set of questions. What are some of the scenarios that could 
occur if the existing loopholes are not closed as we try to explore 
different scenarios? And is there a chance for widespread abuse 
here? I have some follow-up questions after that, so does anybody 
want to just take at it? 

Mr. Rotenberg. Congressman, I return to the original purposes 
of the Fair Credit Reporting Act. It was an extraordinary law at 
the time it was passed in 1970. Senator Proxmire and others came 
together. People became aware that a lot of derogatory information 
about individuals was being gathered up and being used in an ad- 
verse way. The information was inaccurate. We would call it today 
probably defamatory. It kept people out of jobs. It kept people from 
getting loans. 

The Fair Credit Reporting Act was passed to create stable trans- 
parent markets that consumers could participate in by ensuring ac- 
curacy and fairness and privacy. I think what happens, as you de- 
scribe, as the technology gets ahead of us and some of the new 
business practices get ahead of us, we get back in some ways to 
where we were back in the 1960s, where there is the risk that inac- 
curate information, defamatory information will produce bad con- 
sequences. 

I think Congress was very wise in 1970 to deal with the problem 
then. I think you are going to have to deal with it today with new 
technology and with new business practices. 

Mr. Petersen. I think from the health insurance perspective, it 
is very difficult to think of any loopholes that actually exist as the 
HIPAA rule interacts with the State laws. Our firm conducted an 
analysis of how the HIPAA privacy rule interplays with all 50 
State insurance codes. That analysis is over 600 pages, and I am 
assuming a non-lawyer could do it in 400 pages or however many 
extra words we might add to it. It is still a very lengthy analysis. 
State law, from a health insurance perspective, adds a lot of addi- 
tional layers of privacy protections. 

Now, it is very difficult as a national carrier to interact with all 
those, so sometimes preemption might be good. But you look at, as 
I said in my testimony, you have two NAIC models; you have the 
HIPAA rule; and then you have sort of sensitive information, repro- 
ductive rights, genetic testing, mental health, substance abuse, a 
variety of information that states have deemed to be extra-sen- 
sitive, and they have passed additional laws on the uses and disclo- 
sures. So I think from a health insurance perspective, almost all 
bases have been covered. 

Mr. Emanuel. Okay. 

Mrs. Meyer. I think from the perspective of life insurers, which 
are in a slightly different position than health insurers because 
they are not directly subject to the HIPAA rule, life insurers’s and 
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disability income insurers’s ability to obtain medical information is 
very much determined by the HIPAA rule, which would not permit 
health care providers to give information to life insurers and dis- 
ability income insurers without their providing the authorization of 
the individual. 

So you take all of the others, the Fair Credit Reporting Act, 
Gramm-Leach-Bliley, the HIPAA rule and all of the State privacy 
rules, and again the combination, the fitting of all these rules to- 
gether in effect operates in the same way, because both life 
insurers’s ability to get the information and then to disclose the in- 
formation is covered by the combination of all of these rules. 

Mr. Emanuel. Did you want to say something? 

Ms. Pritts. Yes. I think HIPAA protects health privacy fairly 
well in the context of health insurance, but HIPAA is not com- 
prehensive. It only covers health care providers and only if they do 
certain kinds of transactions, a health care clearinghouse, and 
health plans. So it does not cover everybody. 

The other point I want to make is that we have heard repeatedly 
today how important the State laws have been in filling in the gaps 
at the federal level. They are particularly important with insur- 
ance, because that is traditionally governed at the State level. To 
the extent there is this ambiguity in GLBA and FCRA about 
whether the States can go as far as they want to go, I really think 
that needs to be clarified. 

Mr. Emanuel. One question is, and if you have the life of a mem- 
ber as I do, with office hours in grocery stores, meeting people, 
doing constituent work, making it easier for people. My day is, and 
it is a pathetic life, maybe; I do it on Saturday. You meet people. 
You try to make office hours easier. And I don’t think consumers 
have any idea that on a credit background, health information is 
accessible. Maybe from the insurance side, but I will tell you from 
the general public, I would be interested if, from your own back- 
ground and your own research, your own knowledge of the public, 
whether you think they know that health information is accessible 
on a credit background check. 

Mr. Tiberi. The gentleman’s time has expired, but please answer 
the question. 

Mr. Emanuel. Thank you, Mr. Chairman. 

Mr. Yingling. If I could comment, I am sure I am oversimpli- 
fying here, but the expansion that we are talking about here is due 
to the Fair Credit Reporting Act covering a whole bunch of dif- 
ferent types of reporting agencies. 

If you are talking about the basic credit reporting system, when 
a bank looks at an application and goes and gets a credit report, 
they do not have medical information in that report. When people 
are doing employment checks, they go to a different type of report- 
ing agency where they get that kind of information. I think it is 
important to make that distinction. 

I am a little concerned if we start trying to deal with issues that 
just go through basically the payment system or the traditional 
credit card system where all you have is something that says a 
payment was made to the Yingling Clinic, and that is all that is 
in there, or a late payment was made to the Yingling Clinic. Then 
to ask the reporting system somehow or other to make a distinction 
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between whether the Yingling Clinic is a health clinic or a doctor 
clinic or a golf clinic, and people who have seen me play golf know 
that it is not, when you are dealing with millions and millions of 
transactions with one little piece of information. I do not think you 
want to require those kinds of reports, or in the situation of those 
kinds of reports, to have people sit there manually and try and fig- 
ure out what the Yingling Clinic is. 

Mr. Emanuel. Thank you, Mr. Chairman. 

Mr. Tiberi. Thank you. 

The gentlelady from New York is recognized for 5 minutes. 

Mrs. Maloney. Thank you very much. 

I would like to follow up on the questioning of my colleague, Mr. 
Emanuel. I agree that certainly health information and privacy in- 
formation and medical information is one of the most sensitive 
areas this committee deals with. I would like to go back to some 
of the testimony by Mr. Rotenberg, in which he talked about the 
availability of medical information in credit reports and the ability 
to infer a person’s medical history based on this information. He 
cited studies by the Consumer Federation and the Federal Reserve 
on this point. 

I would like to ask the panel, beginning with Mr. Rotenberg, do 
you know of any companies that are using this information to make 
conclusions about people’s medical history and base credit decisions 
on such information, not just late payment, but medical history? 
You could say payments to a clinic; you could infer they have can- 
cer or whatever. So starting with you, Mr. Rotenberg, and if any- 
one else would like to comment. 

Mr. Rotenberg. Congresswoman, the quick answer to your ques- 
tion is no, we have not been able to identify organizations that 
have used this information in an adverse way. I want to say two 
things, though, on this point. First of all, that the problem has re- 
cently come to light. The Consumer Federation of America report 
is from December of last year; the Federal Reserve Board report is 
February of this year. 

Secondly, I think it will take further investigation to actually 
find those instances where these kinds of determinations are made. 
But having looked at the report from the Federal Reserve Board, 
it seems apparent, it was at least apparent to them that medical 
record information can now be obtained from a credit report. 

Mrs. Maloney. Has anyone else on the panel, do any of you 
know of any business that has used this information in an adverse 
way? Any other members of the panel? 

I would like to follow up and ask, do you, Mr. Rotenberg, or any- 
one else on the panel, believe that employers are using this infor- 
mation to base employment decisions on people’s health? People 
look at credit reports for employment decisions also. 

Mr. Rotenberg. Well, I suspect that an employer with access to 
this information would consider it. Now, as I also indicated in my 
earlier statement, certain types of determinations, for example a 
prospective pregnancy, would not be a permissible factor in an em- 
ployment determination. Nonetheless, under the HIPAA guidelines, 
which would prevent people from getting access to this information, 
without those safeguards applying to employers who get access in 
effect to the same information through the credit report, they can 
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now make judgments about AIDS trials and TB and so forth. I 
think it is a problem that the committee will need to look at more 
closely. 

Mrs. Maloney. Yes. 

Mr. Petersen. I was going to say from a HIPAA perspective, em- 
ployers that provide group health plans, their group health plan is 
treated just like a health insurer under HIPAA. So if in the context 
of providing benefits to their employees, if they receive protected 
health information that identifies the individual, they are subject 
to all of the same rules as a health insurer. So they could not use 
the information received in that context to make employment deci- 
sions. I think Mr. Rotenberg was talking about information where 
you could infer health status. 

Mr. Rotenberg. Just to clarify if I might, Mr. Petersen is de- 
scribing the information obtained by virtue of the health plan, 
which is correctly covered under HIPAA. I am talking about the in- 
formation that is obtained from the credit report that the employer 
might access as part of an employment determination, which would 
not be covered under HIPAA. 

Mr. Petersen. That is correct, yes. 

Mr. Yingling. I just want to add again that when we use the 
term “credit report,” we may think that we are talking about the 
credit report a bank gets. It is technically a credit report because 
it is all covered by the Fair Credit Reporting Act, but when a lend- 
er gets a credit report, they do not get that information. All they 
get is the payments and the late payments and your credit history. 
They do not get the medical information. When you are an em- 
ployer, you are going to a different type of entity, and that is where 
you may be getting some of this medical information. 

Mrs. Maloney. But as I understand it from Mr. Rotenberg’ s tes- 
timony, just getting the payment history can infer medical condi- 
tions. Is that what you were saying? 

Mr. Rotenberg. To be precise, it is the trade line information 
that would indicate, for example, an outstanding debt to a clinic. 
That information would be made available to the employer through 
a credit report, and that is the type of information that is being 
made more widely accessible today. 

Mrs. Maloney. And you were implying that you could gain infor- 
mation just from the credit report on a person’s health. 

Mr. Rotenberg. Yes, exactly. 

Mrs. Maloney. And a health condition, if you are making a pay- 
ment to a cancer clinic, obviously you probably have cancer, that 
type of thing. What specifically did the Federal Reserve say about 
this? Could you elaborate? 

Mr. Rotenberg. Well, I have the Federal Reserve report in front 
of me, and I would be happy to provide it to the committee, per- 
haps as an attachment to my testimony. But I will just read one 
sentence, and this is under a heading “collection agency accounts.” 
I am reading from the report of the Federal Reserve, February of 
this year: “Information on noncredit-related bills and collections 
such as those for unpaid medical services is reported to credit re- 
porting companies by collection agencies. In addition, collection on 
some credit-related accounts also are reported directly by collection 
agencies.” 



47 


So the Federal Reserve, this is a very good study, it is a non-po- 
litical study. They were simply trying to understand how the credit 
report is generated, where does the information come from. They 
seem to be interested in the fact that a significant amount of infor- 
mation, in fact on page 69 of the report, they indicate that approxi- 
mately 52 percent of transactions relate to medical payment. So 
this is I think very interesting. 

Mrs. Maloney. Yes. My time is up. I thank all the panelists. 

Mr. Tiberi. The gentlelady’s time has expired. 

We will go for a second round of questioning between the three 
of us, if both of you would like to stay. 

Mr. Yingling, just following up on this line of questioning from 
the last two questioners, let’s say a customer of one of your banks 
has a checking account and is writing a check to the Ohio State 
cancer clinic, or is a credit cardholder with one of your banks and 
goes to a grocery store pharmacy and purchases medication that is 
for mental illness or something. Typically, how is that information 
protected for a consumer? 

Mr. Yingling. Typically, all the payment system information is 
protected. There is no distinction, I don’t think, made with medical 
versus any other type of information. It is protected through nor- 
mal security measures. If you look at Gramm-Leach-Bliley, there 
are specific provisions in there that require that banking institu- 
tions have security that protects all this type of private informa- 
tion. 

Quite frankly, it is moving through the computers so fast that I 
don’t think any human looks at it unless it is an exception item. 
I believe that our task force was pretty clear in the Statement that 
it made in its report that is quoted at the end of my testimony. It 
said that none of that type of information should be gathered or 
should be used for any purpose other than making sure that the 
checks are paid and the accounts are reconciled. 

Mr. Tiberi. In terms of the wording, “should be” or “cannot be” 
used? Can you comment on that? 

Mr. Yingling. Well, I don’t make law, so I can’t say “cannot.” 
But I recommend “cannot” should be used. If you chose to make it 
“cannot,” you could make it “cannot.” However you would have to 
have an exception to cover all those instances, and we have been 
talking about one example, which is the key-man insurance on a 
small business. You would have to have many exceptions, but even 
in those exceptions it would only be with the express consent of the 
potential borrower. 

So I think the better way to phrase it so you do not have to get 
into the business of trying to foresee every exception, which is im- 
possible, would be to say it can only be used with the express con- 
sent of the customer. 

Mr. Tiberi. But to your knowledge, your membership does not 
abuse that customer relationship now, to your knowledge? 

Mr. Yingling. No, not to my knowledge. It is hard to foresee in- 
stances where it would be worth the candle to try to do it, quite 
frankly. There are lots of instances where you do get medical infor- 
mation. Another one, for example, is we do a lot of trust work, and 
quite often when you are setting up a trust, if you have a child that 
has medical problems or mental problems, you would want that 
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banker working with you to set up the trust, to understand that. 
You want the person running the trust to have the authority to 
make decisions about when additional medical care is needed or 
not needed. But those are the exceptions, and again it is for that 
express purpose and that purpose only. 

Mr. Tiberi. In your testimony earlier, you mentioned the State 
preemption of the FCRA is important for us to re-extend or extend. 
Can you explain or delve into why that is important and, in your 
mind, what would happen if it is not extended? 

Mr. Yingling. Well, part of that is to go into all the benefits of 
the Fair Credit Reporting Act, which I won’t do, but there are just 
huge benefits, one of which is the way it helps low-and moderate- 
income individuals obtain loans. There is a remarkable chart in 
this study that shows the incredible growth in the availability of 
credit to low-income people since the passage of the Fair Credit Re- 
porting Act. 

I was interested in Chairman Oxley’s comment, which is another 
aspect of this, about the incredible mobility we have for people to 
move and to get jobs, which is so important to our economy, and 
that is in part due to the Fair Credit Reporting Act. 

Specifically in answer to your question, I think the best way to 
frame it is to give you an example that came to my attention re- 
cently when I was talking to the CEO of a small bank down in the 
southern part of Virginia. She was saying, because we all know 
California is very active in this area, “You mean to say that if I 
have a son or daughter of one of my long-term customers who goes 
to California as a student, that I am going to be subject to Cali- 
fornia law?” 

Well, you carry that out. Suppose it was a graduate student that 
moved to California. The first thing this community bank would 
have to do is apparently track all their customers to figure out if 
they had moved. Then they would have to figure out, well, this is 
a graduate student. Are they a resident of California or a resident 
of Virginia? Are they subject to California law now or not? And 
then if they are subject to California law, they would have to have 
somebody explain to them all the nuances of what they could col- 
lect and what they could report on the credit card loan and the 
auto loan to that son or daughter. 

Now, there is almost no way for them to do that other than to 
have a lawyer on hand in every state that can tell that community 
bank how you cover that person. The end result is, they will not 
report on that person. They cannot afford to report on that person. 

That means if that person has problems and does not make pay- 
ments, that is not going to be reported. On the other hand, maybe 
with this graduate student, the only loans he or she has ever had 
were the credit card and the automobile loan, and now that is not 
reported, so the student has no credit history. 

So you can see how the whole system can start to break down 
if you do not have one national law that this Virginia banker can 
plug into. 

Mr. Tiberi. Thank you. 

Unfortunately, my time has expired. I will recognize Mr. Crowley 
for 5 minutes. 
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Mr. Crowley. Mr. Yingling, I understand that while health in- 
formation is not allowed on credit reports, affiliate sharing is often 
exempt from FCRA privacy rules. So as banks and insurance com- 
panies, and this goes back somewhat to my original question, be- 
come more affiliated, could this information flow between affiliates, 
particularly these new brands of banks that are buying and mar- 
keting health insurance plans, could that information flow be- 
tween? 

And who would govern the privacy of this health information, 
HIPAA, FCRA or no entity? And where is this distinction codified 
in the law, as I don’t think anyone wants to see this end up in the 
courts for many years of litigation to sort out these issues, espe- 
cially as it pertains to such important issues as the issue of one’s 
personal privacy? 

Mr. Yingling. I think the simple answer is if you had a bank 
that chose to violate all the principles of trust of their customers 
and to take medical information and give it to an affiliate, it could 
do it. There is nothing illegal about it. 

Mr. Crowley. So you think the pressure of the market would 
come to bear, advertisement by other competitors? 

Mr. Yingling. I think that would be a major factor. We believe 
it is wrong to do it, but if you are asking me, is there a law that 
prevents it at this moment in time, the answer is no, sir, there is 
not. 

Mr. Crowley. Would anyone else like to comment on it? 

Mr. Petersen. There are rules against the flow in the opposite 
direction. So in that situation you described, if a bank were to pur- 
chase a health insurance health plan, the bank evidently can flow 
information to the health plan. The health plan could not flow in- 
formation to the bank under the HIPAA privacy rule of 1982 and 
the NAIC Act article five. 

So you would have restrictions of the information flowing the 
other way, and you would have to have an authorization for the 
health plan to release that information to the bank. Most of this 
sensitive information will be within the health plan. 

Mr. Crowley. Ms. Meyer? 

Mrs. Meyer. I was just going to say, to the extent there ever 
would be that flow from the bank in another direction, it would 
seem to me that both the Fair Credit Reporting Act and GLB itself 
would govern those disclosures and require at least an opt-out in 
that situation. Although again, it seems a stretch. 

Mr. Crowley. I keep coming back to those difficult stretches for 
you, don’t I, Ms. Meyer? 

[LAUGHTER] 

Just to show you how I think. I thank you. 

Would you like to respond, Ms. Pritts? 

Ms. Pritts. Yes, I would like to just go back to the one point that 
I think we continually miss, which is that Congress in enacting 
HIPAA and in enacting Gramm-Leach-Bliley subsequently, never 
really indicates who is on first. 

The Fair Credit Reporting Act was passed I think in 1990. The 
amendments to the Fair Credit Reporting Act were in 1996. HIPAA 
was in 1996. HIPAA does not say anything about the Fair Credit 
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Reporting Act. HIPAA hardly says anything about how you protect 
health information, in all honesty, the statute. 

Subsequently, you have the Gramm-Leach-Bliley Act, which was 
enacted after HIPAA, and very detailed. It does not mention 
HIPAA. Subsequent to that, then, you have the actual promulga- 
tion of the HIPAA privacy regulations, which are very detailed. But 
if you actually go through an implied repeal analysis, first of all 
you should not have to do that. We should have some indication 
from Congress as to what law governs if there is an overlap. It is 
an easy thing to fix, and it is something that we should not be rely- 
ing on the court for. 

Mr. Crowley. Thank you. 

I thank the chairman. I have other questions, but I will submit 
them in writing for an answer. 

Mr. Tiberi. Ms. Meyer, you were going to comment, it looked 
like? 

Mrs. Meyer. Actually, I was going to say that in fact insurance 
companies for a number of years have been dealing with the mesh- 
ing of all of these rules together. It is because of the fact that there 
is this meshing, we see that it is going to be so critical to reauthor- 
ize the preemption provisions of the Fair Credit Reporting Act, so 
in fact there will be certainty as to what the rules are. 

Mr. Tiberi. The gentleman from New York’s time has expired. 

I would like to thank all the witnesses for being here today. The 
record will be open for 30 days for members to submit any addi- 
tional testimony or comments or questions. 

The hearing is now adjourned. 

[Whereupon, at 1:03 p.m., the subcommittee was adjourned.] 
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STATEMENT OF CHAIRMAN SPENCER BACHUS 
SUBCOMMITTEE ON 

FINANCIAL INSTITUTIONS AND CONSUMER CREDIT 
“THE ROLE OF FCRA IN EMPLOYEE BACKGROUND CHECKS AND 
THE COLLECTION OF MEDICAL INFORMATION” 

Good morning. The Subcommittee will come to order. Our hearing today is the fifth in 
the series of hearings this Subcommittee is holding on FCRA. We have previously held hearings 
covering the importance of a national uniform credit system to consumers and the economy and 
more specifically on how FCRA helps consumers obtain more affordable mortgages and credit in 
a timely and efficient maimer. Today we will leam about how FCRA regulates employee 
background checks and the collection of health information. 

This hearing consists of two panels. The first panel will focus on the application of 
FCRA to employee screening and other background checks. Witnesses will include various 
business groups, human resource managers, and private investigators. The second panel will 
examine how medical information is collected and used for various financial products, including 
a discussion of the prohibition on the use of health information in the credit-granting process. 
Panelists will include representatives of the life and health insurance industry, banking industry, 
and independent experts. 

While we usually think of FCRA in the context of credit information, it also applies to 
background checks for employees. For example, information collected for an employer by a 
third party about an employee’s criminal record, driving record, educational record, or prior 
employment history in some instances falls within the FCRA’s coverage. The 1996 amendments 
to FCRA established consumer protections for employee background screening. Some of these 
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include: consumer consent before a prospective employer may obtain a consumer report; 
disclosure of the report to the consumer once it is completed; and notice to the consumer of his 
rights before taking an adverse action based on the report. 

Many employers conduct background checks of their employees as a safety precaution. 
Moreover, according to a 2002 Harris poll, a majority of Americans support their employers 
conducting detailed background checks. Congress has mandated background checks for many 
workers in the financial services industry, as well as for nuclear, airport, and childcare 
businesses. As a result, mandatory background checks are now required for workers at ports and 
for those who transport hazardous chemicals. The number of worker background checks has 
dramatically increased since 9/1 1 due to heightened security concerns. 

In light of the fact that background checks are becoming commonplace, one issue that we 
need to look at is the FTC’s staff Vail opinion letter. It makes it more difficult for employers to 
conduct investigations. Under the Vail letter, if an employer believes that an employee is 
engaging in workplace misconduct - such as committing sexual harassment, racial 
discrimination or embezzling funds — the employer can’t hire an independent third party 
investigator without getting the wrongdoer’s consent and telling hint how he will be 
investigated. This makes absolutely no sense. If you’re trying to catch a criminal, why warn 
him in advance? Strangely, employers can investigate alleged misconduct without following any 
of the Vail letter requirements if they do so internally. The Vail letter makes it unworkable to 
hire an outside, unbiased party to do an impartial investigation. Even the FTC admits that the 


law should be fixed. 
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Our second panel will turn to a different but equally important subject, the collection of 
medical information and how the FCRA and other Federal and State laws govern its use. The 
FCRA prohibits consumer reporting agencies from furnishing reports containing medical 
information without the consumer’s consent. Congress passed another law, the Health Insurance 
Portability and Accountability Act of 1996, which limits the sharing of health information by 
health care plans and providers. In addition, the States have various laws governing how 
insurance companies use and share information. This panel of experts will help us to understand 
whether there are gaps in the convergence of these laws, and whether financial providers are 
using or should be prevented from using individuals’ medical information in an inappropriate 
way. 

I want to again express my gratitude to Chairman Oxley, Ranking Member Frank and Mr. 
Sanders for working with me on FCRA reauthorization, and note that for the second week in a 
row we accommodated all of the Minority’s witness requests. 

The chair now recognizes the Ranking Member of the Subcommittee, Mr. Sanders, for 
any opening statement he would like to make. 
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Opening Statement 

Chairman Michael G. Oxley 

Committee on Financial Services 


Subcommittee on Financial Institutions and Consumer Credit 
“The Role of FCRA in Employee Background Checks and the Collection of 
Medical Information” 

Tuesday, June 17, 2003 


I am pleased to announce that last Thursday another Federal 
regulator came out in support of a reauthorization of the national uniform 
standards of FCRA. Don Powell, Chairman of the FDIC, said he believes it’s 
necessary to make permanent the preemptions in the FCRA to ensure no 
negative economic impact. 

Mr. Powell joins the Treasury Secretary, the Chairman of the Federal 
Reserve Board, and the Conference of State Bank Supervisors, in support of 
reauthorizing uniform FCRA standards. 

I also just received a report by the independent Congressional 
Research Service analyzing a critical consumer benefit of the FCRA - 
increased labor mobility. CRS found that mobility is an important barometer 
to judge the importance of having a national credit reporting system. No 
surprise, the U.S. has one of the most mobile societies, with 14.5 percent of 
the population moving in any given year, and lower income individuals more 
likely to move than higher income groups. It is our national uniform credit 
system that makes this mobility possible, and gives us a further competitive 
edge over the rest of the world. 

Throughout modern history, national economies have risen and fallen 
based in large part on the flexibility and mobility of labor and management. 
American consumers and workers enjoy unprecedented mobility in part 
because of our uniform national credit standards. 

Today’s hearing looks at two particular aspects of uniform standards 
under FCRA. The first panel will address the use of FCRA in employee 
background screening. Even before 9-11, Americans had become increasingly 
concerned about ensuring their safety on the job from individual predators 
with criminal records. Homicide was the second leading cause of 
occupational fatalities in 2001, and the recent wave of corporate scandals has 
highlighted the need to keep out bad actors at all levels of the American 
workplace. Congress has been calling for expanded background checks for a 
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number of sensitive jobs, and courts have been imposing more liability on 
businesses that don’t perform adequate background checks. 

Unfortunately, an interpretation of FCRA by the Federal Trade 
Commission known as the “Vail letter” undermines the ability of businesses 
to protect their employees and consumers. The Vail letter prohibits 
employers from using outside third parties to investigate employee 
misconduct unless they first notify the wrongdoer of the precise investigation, 
get his consent, and ultimately give him a copy of the investigative report. 
How do you investigate a CEO who’s embezzling funds if you have to first get 
his permission and give him time to cover up his actions? How do you get 
victims to cooperate with a sexual or racial harassment inquiry if they know 
their identities won’t be protected? You don’t, and that’s why the FTC’s 
interpretation is problematic. 

Ironically, a company can perform an employee investigation without 
these requirements, but only by doing it internally, without any of the 
protections of an outside, unbiased and professional third party. The Vail 
letter is impractical. Subcommittee Chairman Spencer Bachus and I wrote to 
the FTC last term asking the Commission to change its views, and we 
support efforts by the Members here today to correct this problem. 

On our second panel, we will receive testimony on the use of medical 
information in the credit granting process, and the interplay between various 
Federal and State health privacy laws. I share the concerns of many of my 
colleagues that medical information may require special protections to 
prevent its improper use or theft and look forward to our witnesses’ views on 
the appropriate balance of national consumer standards on this issue. 

I would like again to thank Subcommittee Chairman Mr. Bachus for 
his leadership on FCRA reauthorization, and the continued bipartisan 
cooperation of our ranking Subcommittee and full Committee Members Mr. 
Sanders and Mr. Frank. 


ffffff 
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June 17,2003 

Opening Statement by Congressman Paul E. Gillmor 
House Financial Services Committee 

Subcommittee on Financial Institutions and Consumer Credit Hearing entitled. “The Role 
of FCRA in employee background checks and the collection of medical information" 

Thank you, Mr. Chairman, for holding this important hearing on the Fair Credit 
Reporting Act (FCRA) and its role in employee background checks and the collection of 
medical information. I continue to believe that ensuring a uniform national standard for 
consumer protections governing credit transactions is one of the most important tasks this 
committee will face in the 108 th Congress. 

As we are all now aware, on January 1, 2004 these standards as established in the FCRA 
will expire and states will again have the ability to enact differing regulations. 

Congress enacted the FCRA in 1970, to bring the consumer credit reporting industry 
under Federal regulation and to create a uniform system of rights governing credit 
reporting transaction. This mandate has been incredibly successful and allowed for the 
creation of the sophisticated system we have today. It has greatly expanded consumer 
access to credit and allowing individual states to enact their own standards would 
undoubtedly risk its collapse. 

The 1996 amendments to the FCRA established a national consumer protection standard 
for employee background checks detailing the following requirements: 

1. a consumer consent before a prospective employer may obtain a consumer report; 

2. an employer provide a copy of such report to the consumer; 

3. a description of a consumer’s rights be provided to the consumer before taking an 
adverse action based on such report. 

The FCRA also prohibits consumer reporting agencies from producing reports containing 
medical information without the consumer’s consent. 

Today, I look forward to a thorough discussion of the issues that remain concerning the 
FCRA’s application in these areas. Thank you again, Mr. Chairman, for continuing our 
dialogue on this issue and I look forward to swift committee action. 
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Opening Statement 
Congressman Pete Sessions (R-TX 32) 

Committee on Financial Services 
Subcommittee on Financial Institutions and Consumer Credit 
June 17,2003 

“The Role of FCRA in Employee Background Checks and the Collection of 
Medical Information” 


Mr. Chairman, I would like to thank you for inviting me to join you today at this hearing on the 
Fair Credit Reporting Act (FCRA) as it pertains to employee background checks and the 
collection of medical information. I am pleased to be rejoining the Chairman and my esteemed 
former colleagues on the Financial Services Committee to discuss an issue that has long been of 
great interest to me. I would also like to thank my colleague from Alabama for scheduling this 
important hearing, for his strong leadership on this issue, and for his diligent oversight of all 
aspects of the FCRA. His efforts are commendable, and by holding this hearing today, he will 
have helped Congress to take the first step toward making the workplace a better and safer place 
for all working Americans. 

Mr. Chairman, in order to provide historical context to this hearing, I would like to recount 
briefly the events that have brought us here today. In 1999, the staff of the Federal Trade 
Commission (FTC) issued an opinion - known as the “Vail Opinion” - concluding that outside 
consultants who perfonn investigations of alleged employee misconduct are considered to be 
“Credit Reporting Agencies.” As a result, outside consultants and the employers who hire them 
to help ensure unbiased workplace safety are subject to a number of burdensome and unintended 
restrictions on their ability to perfonn these investigations safely, professionally and efficiently. 
Accordingly, they are hampered in performing many different kinds of helpful workplace 
investigations, including employee complaints of sexual harassment, discrimination and threats 
of violence. 

For the last few Congresses, I have introduced legislation to fix this problem by removing the 
FCRA requirements for: 1 ) investigations of suspected misconduct related to employment and 2) 
compliance with existing laws and pre-existing written policies of the employer. This proposed 
legislation also respects the rights of the subject of a workplace search (by providing him/her 
with a summary of the findings), while removing employers from the onerous and potentially 
dangerous requirement to notify their subject prior to beginning an investigation. The removal 
of this requirement is important because it prevents violent employees from having time to 
"cover their tracks" or to intimidate coworkers who can make or corroborate complaints and are 
integral to ensuring the veracity of data included in these complaints. 

Mr. Chairman, back in 1 997, when a constituent brought the problems that she was having as a 
result of the Vail Opinion to my attention, I was shocked. Shocked to learn that federal law 
requires an employer who suspects that an employee is dealing drugs at their workplace to ask 
that employee’s permission before beginning an investigation. Furthermore, I was greatly 
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dismayed to find that federal law would also require that same employer to provide a potentially 
violent employee a with report identifying the co-workers who made or corroborated those 
allegations of wrongdoing, making those helpful employees who were only trying to make their 
workplace safer a target for violence or retribution themselves. 

This important legislation that I have introduced removes requirements of the Fair Credit 
Reporting Act solely for the purpose of having unbiased, third-party professional investigations 
of illegal or unsafe activities in the workplace. These limited activities include drug use or sale 
of drugs, violence, sexual harassment, employee discrimination, job safety or health violations 
and criminal activities including theft, embezzlement, sabotage, arson, patient or elderly abuse, 
and child abuse. 

Mr. Chairman, I believe that it is critical that Congress pass this legislation in order to make 
workplaces safer, to stop illegal activities such as drug dealing and to identify dangerous 
employees so that they can be provided with treatment before violence occurs. This legislation 
offers Congress the opportunity to replace illegal and dangerous activities in the workplace with 
investigation and remediation - and I think that is precisely the goal for which we should all be 
striving. 

I would like to thank our entire panel, many of who have come from all over the country just to 
share their experiences with the Vail Opinion and the FCRA with us today, and I look forward to 
hearing their testimony on this issue. I would like to thank the 16 Members of Congress on both 
sides of the aisle who have cosponsored this bipartisan legislation. And I would like to thank the 
Chairman for the leadership and initiative he has shown by addressing this issue - I greatly 
appreciate the time provided to me today. 
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TESTIMONY OF LEWIS L. MALTBY 
PRESIDENT- NATIONAL WORKRIGHTS INSTITUTE 
REGARDING EMPLOYEE INVESTIGATIONS 

BEFORE THE HOUSE SUBCOMMITTEE ON FINANCIAL INSTITUTIONS 
AND CONSUMER CREDIT 
JUNE 16,2003 

Introduction 

My name is Lewis Maltby. I am president of the National Workrights Institute. The 
Institute is a not-for-profit research and education organization dedicated to advancing 
human rights in the American workplace. 

Testimony 

Pre-Hiring Investigations 

The Institute is very concerned about the growth of employment investigations in 
America. There is nothing wrong with employment investigation. For employers to 
select the strongest applicant, they must screen out the other applicants. An employer 
who hired everyone who applied would quickly be bankrupt. 

But there is much that is wrong with the way employment investigation is practiced 
today. Many employment screens are highly intrusive and invade people’s privacy. 
Others are highly arbitrary and deny work to honest hard working people. 

For example, many employers require all applicants to take a so-called honesty test. At 
least 2.5 million people are required to take such tests every year. There is nothing 
wrong with employers wanting to hire honest people. But honesty tests are notoriously 
unreliable. For every dishonest person they identify, at least four honest people are 
denied a job. Worse yet, honest people who fail one honesty test generally fail them all. 
In an industry where honesty tests are standard practice, many honest people are virtually 
unemployable. 

Other employers require prospective employees to take personality tests. This also is not 
inherently wrong. Organizations, like people, have personalities. A person who would 
fit it well with an informal Silicon Valley company might have difficulties in a highly 
structured Wall Street firm. Companies that choose employees based on personality as 
well as ability can save both parties from the consequences of a bad decision. 
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But many personality tests are shockingly intrusive. The Minnesota Multiphasic 
Personality Inventory (MMPI) asks detailed questions about applicants’ sex lives, 
religious beliefs, and bathroom habits. No one should have to reveal such intimate 
aspects of their personal lives just to get a job. The harm is all the worse because such 
information is irrelevant to job performance. 

Relatively recently, employers have begun investigating employees’ private lives. 
Approximately 6% of American employers inquire whether their employees smoke, 
drink, or engage in risky hobbies in their private lives. Twenty-nine states have enacted 
legislation that restricts this type of discrimination, often with the help of the Workrights 
Institute. But in the remaining 2 1 states, employers can and do deny people employment 
because they smoke or drink in their own homes on their own time. 

In the wake of 9/1 1 the number of employers conducting criminal record checks has 
exploded. Companies supplying such reports report than their business has at least 
doubled in less than two years. Under certain circumstances, this is entirely proper, or 
even necessary. I have three children who ride the school bus every day. The youngest 
is 5 years old. I would be angry if my school district did not conduct record checks and 
screen out prospective drivers with DWI convictions. 

But some employers use criminal records in irrational and unfair ways. Eli Lilly, for 
example, will not hire anyone who has ever been convicted for anything for any job, no 
matter what the circumstances, and no matter how long ago the offense. Kimberly Kelley 
lost her job as a pipe insulator at a Lilly contractor because, before starting this job, she 
had been convicted in absentia of passing a bad check for $60. 

Such “zero judgment” laws violate federal anti-discrimination law because of their 
disparate impact on minority groups. Eight states require that there be a nexus between 
the nature of the offense and the nature of the job. But many employers do not comply 
with these laws. 

The worst aspect of such employee investigations is that they have taken over the hiring 
process. Instead of the result of the investigation being used as input to a human being 
who will consider it, along with all the other relevant information, the investigation 
results determine the outcome. Human judgment is eliminated. In most companies 
today, if you fail the honesty test, you are automatically dropped from the applicant pool. 
Even if the HR professional thinks the test is wrong, it makes no difference. If you 
smoke or drink (in certain companies) you are out, no matter how strong your job 
performance. If you have a criminal record, you are not hired, no matter what the 
circumstances. 

It is unfair to employees and damaging to productivity and our standard of living for 
hiring decisions to be made in this manor. While it is impossible to legislate good 
judgment, there are steps that Congress could take that would improve the situation. 
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Fair Credit Reporting Act 

Ironically, the area in which employee investigations are most needed is the one area 
where there are substantial legal restrictions. Under the Fair Credit Reporting Act 
(FCRA), when an employer commissions a third party to conduct a “consumer report” or 
“investigative consumer report”, the employer must notify the affected employee in 
advance and obtain their permission. 

In general, this is a good rule. Such reports can be extremely revealing and people should 
not be forced into investigations against their will. 

But the rule makes no sense in the context of employer investigation of employee 
misconduct. Telling the employee suspected of misconduct that an investigation is about 
to begin gives them the opportunity to alter their behavior, destroy evidence, and take 
other action to hide the truth. Even worse, the suspected employee can prevent the 
investigation by refusing to consent. This is so irrational as to border on the surreal. 

What kind of law enforcement system allows people who have broken the law to escape 
justice by refusing to let the authorities investigate their conduct? 

As a human rights organization, the Institute is most concerned about the impact this law 
has on civil rights. Consider the situation in which a female employee complains to her 
boss that another employee has sexually harassed her. Assume that she identifies 
eyewitnesses to the harassment. The employer obviously needs to conduct an 
investigation. But it can’t, because speaking to the witnesses falls under the definition of 
“investigative consumer report” in FCRA. The accused harasser can protect himself by 
refusing to consent to the investigation. This is obviously an intolerable result. 

Legislation has been proposed that addresses this issue. Representative Sessions and 
other Members have introduced legislation, the Civil Rights and Employee Investigation 
Act (H.R. 1543), that would remove from the FRCA “investigation of suspected 
misconduct related to employment”. This is a step in the right direction, but not a 
complete solution. For example, not everyone suspected of sexual harassment or other 
workplace misconduct is guilty. The FCRA contains rights that help protect innocent 
people suspected of misconduct. H.R. 1543, standing alone, would eliminate these 
protections. 

What is needed is for all concerned groups to work together to find a way to amend the 
FCRA that eliminates the impediments to legitimate workplace investigations without 
eliminating other important employee protection. The beginning of this dialogue has 
already taken place. The National Workrights Institute would be happy to help continue 
these discussions. 

The Institute would also like to submit supplemental materials after the conclusion of the 
hearings. 
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My name is Eddy McClain. Chairman of Krout and Schneider, Inc., a 76-year-old private 
investigative firm in California. I’ve been a licensed private investigator for 47 years. I am 
appearing today on behalf of the National Council of Investigation and Security Services 
(NCISS) representing both investigative and protective sendee companies and their State 
associations throughout the United States. I previously served as Chairman and President of 
NCISS and am currently a member of the Board of Directors. 

We appreciate the opportunity afforded us today to discuss how the Fair Credit Reporting 
Act impedes the ability of employers to provide a safe and secure workplace. We regret that we 
did not participate the last time Congress considered the FCRA. The 1996 amendments to the 
Act. as interpreted by the Federal Trade Commission, restrict employers from obtaining 
independent investigations of employee misconduct. 

We believe the FCRA was intended to provide consumers a remedy when their credit 
records contained errors that affected their ability to obtain credit. And, to the extent that credit 
reports might be used as a yardstick in the hiring process, to allow the applicant an opportunity to 
correct those errors. We do not believe Congress intended to hamper investigations of 
lawbreaking in the workplace. 

As outlined in detail by others on the panel, employers face restrictions on the conduct of 
preemployment criminal background checks. They are also limited in obtaining frank appraisals 
in job references because of former employers’ fear of liability. Unfortunately, they will 
sometimes have to confront the possibility of employee misconduct. 
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The FCRA thwarts investigations of misconduct by third parties in many ways. The most 
egregious require: 

1 . Notice to employees, including possible suspects, before any investigator 
or consultant initiates an investigation. 

2. Written authorization from the accused or suspect employee before an 
investigation is undertaken. 

3. Providing a complete, unedited copy of an investigative report prior 
to taking any adverse action against an employee. 


The FCRA stymies the ability of all employers to engage outside experts to investigate 
employee misconduct and provide a safe workplace. Even many Fortune 100 firms prefer to hire 
third parties to conduct employee misconduct investigations to avail themselves of the expertise 
of specialists and to maintain the integrity and objectivity of an impartial review. Indeed, they 
are encouraged to do so by government agencies. Then Assistant Attorney General James 
Robinson testified before this Subcommittee previously that 

"The Department is very concerned about the possible implications for law enforcement 
investigations and on corporate compliance and self-reporting programs that the Department and 
other agencies encourage, and in some cases, even require that arise from applying the FCRA to 
investigations by outside counsel of specific allegations of wrongdoing in the workplace by an 
employee." 

The FCRA will continue to frustrate Boards of Directors from retaining independent 
experts to ferret out corporate malfeasance. When a Board needs to investigate the CEO, 
President and CFO, who will be able to provide an independent investigation under the FCRA? 
Can the Board obtain these officers’ consent for such an investigation which could lead 
eventually to criminal prosecution? 
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The FTC interprets the FCRA as meaning that any investigator, who regularly conducts 
employment investigations that report on the character or reputation of an employee, is a 
Consumer Reporting Agency and subject to the FCRA rules. But most of the requirements of 
the FCRA do not make sense except in the context of credit reports. They should not apply to 
investigations that have nothing to do with credit and should not be imposed on employers 
attempting to maintain safe workplaces. We believe that investigators of workplace misconduct 
should not be designated as Consumer Reporting Agencies and their reports should not be 
classified as Consumer Reports. 

Section 611 is an example of a provision that was designed to correct credit report errors. 

It requires a re-investigation at any time that a consumer disputes anything in a consumer’s file at 
a Consumer Reporting Agency and requests a re-investigation. That may make sense for a 
disputed invoice in a credit file, but employee misconduct investigations often involve hundreds 
of hours of investigation and interviews of witnesses who may become less cooperative when 
they team their statements were released to the suspect. This section would require an 
investigator to go over the same ground and conduct new interviews at no charge within 30 days 
from the time of the request. 

The FTC has said that no portion of a completed Consumer Report may be redacted. 
Therefore, information that is not relevant to the accused, but is relevant to the safety and privacy 
of others, would also have to be revealed. While Section 609 of the Act says it is not necessary to 
divulge sources of information acquired solely to prepare an Investigative Consumer Report, it is 
in conflict with Section 604 (b)(3)(A) that says the employee must receive a copy of the report. 
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Moreover, even absent the name of a witness, the content and circumstances described in a 
statement frequently will reveal the identity of a witness. 


Harassment and Discrimination 

The 1996 amendments to the FCRA have set back progress on sexual harassment and 
discrimination substantially. The Act provides no explanation or suggestion of what an 
employer should do if an accused person refuses to give his/her permission to be investigated . 

Investigation of harassment and civil rights cases call for the most tactful and professional 
investigative techniques. Tempers are often at a fever pitch. The EEOC has recognized that 
they are best done by experienced third parties — yet the FCRA discourages employers from 
retaining them. 

Violence 

These requirements exacerbate investigations of employee violence even more. When an 
employee appears to exhibit the symptoms of a deranged individual and is suspected of having 
the wherewithal to carry out threats to fellow workers or supervisors, the last thing the employer 
wants to do is ask the employee for permission to investigate her or him. Even in cases where 
permission was obtained at the time of hire, handing the employee a report containing the details 
of evidence against him before terminating or suspending his employment is like lighting a fuse. 
Employers are damned if they do and damned if they don't comply with the FCRA. 

My firm is often hired to assist employers in dealing with potentially violent employees. 

It is not uncommon for employees exhibiting violent propensities not to have been thoroughly 
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backgrounded at the time of hire. In addition to surveillance, these investigations usually involve 
conducting inquiries to include covert neighborhood interviews. Neighbors are often aware of 
suspicious activity, proclivity towards firearm ownership or even knowledge of explosives. 

Since the 1996 FCRA amendments, the report of such an investigation would be considered an 
Investigative Consumer Report and it would be unlawful for the employer to order such an 
investigation without disclosure and permission. The ramifications of advising such an 
employee that he is going to be investigated, are obvious. 

Theft 

Statistics indicate that about one-third of business failures each year in this country are 
the result of employee theft. When businesses fail, consumer employees lose their jobs. Of ail 
crimes by employees, perhaps investigation of embezzlement requires the most stealth and 
expertise. Embezzlers are often in the best position to cover their tracks. Yet, before an 
employer can hire an outside expert to investigate embezzlement, written permission must be 
obtained. As the Chairman of a House Committee recently remarked, “That defies common 
sense.” 

Drug Use 

Illicit drugs continue to be a scourge on American society. Ostensibly, we’ve been 
fighting a war on drugs for years yet recent statistics reveal that about seven percent of 
employees still use drugs in the workplace. This endangers fellow employees and customers, as 
well as themselves, particularly if they operate forklifts or other hazardous machinery. But the 
FCRA makes it virtually impossible to ferret out users or drug dealers from the workplace. The 
FCRA now requires us to obtain certification from the employer that they have received 
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permission from employees to initiate an investigation. Yet in many instances, we have no idea 
who the suspects are when we commence an investigation. Since most employers have not 
obtained the requisite permission in advance, should we wait until we know which ones are 
dealing drugs to ask for permission to investigate them? 

In tellect ual Property 

Prior to the 1 996 amendments, employers were able to hire impartial experts to covertly 
conduct sensitive investigations that would not be possible today. For example, my firm was 
engaged to investigate an alleged theft of trade secrets for a Fortune 100 defense contractor. 
Using a combination of public record information, surveillance and undercover techniques, we 
were able to determine the facts. A sales/marketing manager and a production chief had 
conspired with a scientist to form a competing company that was bidding on the same 
government contracts. Although one conspirator left our client's employ, he was fed 
information by the other two who remained as moles. Not only were the scientific secrets being 
disclosed, but bidding information allowed the competitor to slightly undercut their pricing on 
closed bids. This successful prosecution would have been nearly impossible if our client had to 
notify the culprits in advance of the investigation. 


The need for confidentiality should be obvious in any investigation of misconduct. In 
fact, Congress determined this to be the case in other statutes of recent vintage. I understand that 
the Bank Secrecy Act makes it a violation of law to tell a customer if a bank will file a suspicious 
transaction report. The Act provides at 31USC 5318(g)(2) 

“A financial institution, and a director, officer, employee or agent of any financial 
institution, who voluntarily reports a suspicious transaction pursuant to this section or any other 
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authority, may not notify any person involved in the transaction that the transaction has been 
reported.” 

If we conduct any interviews -- and even reported conversations with witnesses are 
considered to be interviews - then our report is considered to be an Investigative Consumer 
Report and the employer must advise the accused of the nature and scope of the investigation. 
And, before taking adverse action against an employee, a complete unedited copy of the report 
must be provided to the employee no matter how felonious their behavior. 


We often conduct undercover investigations by placing an operative in a client's 
workplace to interact with suspects. These types of investigations are some of the most cost 
effective ways to obtain conclusive proof of employee criminality. Since the advent of the 1996 
amendments, many of our labor lawyer clients have advised their clients not to risk such an 
investigation even in the face of significant losses or danger to co-workers. The reason is the 
attorneys do not wish to provide suspects with a copy of the Investigative Consumer Report. 

Not only does this risk jeopardizing safety, but it could lead some employers to terminate 
suspect employees for other reasons, which could result in an employee being wrongfully 
terminated. It is fairer to all parties to know the facts. 

Holding employee violators to answer for their misdeeds by imposing discipline is often 
traumatic and unpleasant for employers. But their other employees have a right and expectation 
of a safe work environment. Many employees are naturally reluctant to come forward and 
cooperate with an investigation. And, when they leam that the requirements of the FCRA 
mandate disclosure of their cooperation, the chances of getting to the truth are greatly minimized. 
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Many times in my experience, at the conclusion of such an investigation, honest employees have 
come forward to say, “Thank goodness you did something about this.” 


HR 1543 

NCISS strongly supports HR 1543, The “Civil Rights and Employee Investigation 
Clarification Act.” The bipartisan measure would make clear that investigations of employee 
misconduct are not covered by the FCRA. But it would provide protections for consumers and 
employees. The bill makes clear that it does not permit access to credit reports. It also would 
require that after taking adverse action against an employee, an employer must provide a 
summary containing the nature and substance of the communication upon which the action is 
based. 

But time is of the essence. If Congress does not act quickly to amend the FCRA, 
invasions of privacy and violations of safety will continue. Witnesses will be coerced and 
possibly killed or injured and violations oflaw will go unchallenged because employers without 
an employee's authorization are not permitted to hire a discreet, confidential investigation by an 
impartial expert or use that investigative report properly. Congress must not let stand 
regulations that further jeopardize the safety and well being of honest employees. 


#### 
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Chairman Bachus, and Members of the Subcommittee. I am Roberta Meyer, 
Senior Counsel at the American Council of Life Insurers (“ACLI”). I am pleased to 
appear before the Subcommittee today on behalf of the ACLI to discuss the topic of the 
Fair Credit Reporting Act (“FCRA”) and the collection of medical information by life 
insurers. The ACLI is the principal trade association of life insurance companies. Its 383 
member companies account for 73 percent of the assets of legal reserve life insurance 
companies, 70 percent of life insurance premiums and 77 percent of annuity 
considerations in the United States. ACLI members are also major participants in the 
pension, long-term care insurance, disability income insurance and reinsurance markets. 

Life insurers have a long history of dealing with highly sensitive information, 
including consumers’ medical information, in a professional and appropriate manner. 

Life insurers must collect and use medical information in order to serve their existing and 
prospective customers. At the same time, life insurers support strict protections for 
medical records confidentiality, including support for prohibiting the sharing of medical 
information in connection with an extension of credit . 

Why Life Insurers Collect Medical Information 
In today’s world, it is more important than ever for consumers to have ready 
access to as much insurance as possible to protect their future financial security as well as 
the financial security of their families. In order to continue to make insurance products 
and services widely available at the lowest possible cost, life insurers need access to 
information that establishes a consumer’s eligibility and the appropriate premium for 
insurance products for which the consumer has applied. An applicant’s medical 
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condition is an important factor in making that determination. Accordingly, insurers 
collect personal medical information from consumers in connection with providing life, 
disability income and long term care insurance. 

Medical information is used to group applicants into pools that accurately reflect 
the financial risk presented by the applicants. This system of classifying proposed 
insureds by level of risk is called risk classification. It enables insurers to group together 
people with similar characteristics and to calculate a premium based on that group’s level 
of risk. Those with similar risks pay the same premiums. The process of risk 
classification provides the fundamental framework for the current private insurance 
system in the United States. It is essential to insurers’ ability to determine premiums 
which are fair relative to the risk posed by the applicant. It is the process of risk 
classification based in large part on medical information, which has made life, disability 
income and long term care insurance widely available and affordable in our country. 
Preserving our risk classification process is critical to preserving our ability to continue to 
pay future claims to consumers. 

Life insurers may collect medical information directly from the consumer. With 
the consumer’s consent, medical information may also be collected from the consumer’s 
medical provider. Medical information used for underwriting purposes is collected from 
third parties only with the consumer’s consent. Insurers may also request medical 
information in connection with processing a policyholder’s claim. For additional 
information regarding the operational aspects of the underwriting process, I refer you to 
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my previous testimony before the Subcommittee in June 1999 and before the full 
Committee in June, 2000. 1 

The ACLI’s Medical Information Confidentiality Policy 

ACLI members are keenly aware of the importance of maintaining the 
confidentiality of medical information of policyholders. They are committed to the 
principle that they must handle medical information appropriately and ensure that its 
confidentiality is preserved. To underscore that commitment, our members strongly 
support ACLI’s policy, entitled Confidentiality of Medical Information: Principles of 
Support, which is intended to be used in connection with legislative and regulatory 
privacy proposals. I have attached a copy of our Principles of Support to my testimony. 

The ACLI’s Principles of Support provide for strict limits on the ability of 
insurers to obtain and disclose medical information about their policyholders. The 
Principles also support a prohibition agpinst an insurance company sharing a consumer’s 
medical information with a financial institution, such as a bank, for the purpose of 
determining the person’s eligibility for a loan or other credit. This policy applies even if 
the financial institution is affiliated with the insurer. Our members are strongly 
committed to this principle. 

Medical Information and the FCRA 

Under the FCRA, medical information may be a “consumer report” because it 
bears on the consumer’s personal characteristics and is used as a factor in establishing a 
consumer’s eligibility for insurance. However, medical information is accorded special 

1 Testimony of the American Council of Life Insurance Before the House Committee on Banking and Financial 
Services, Subcommittee on Financial Institutions and Consumer Credit On Emerging Privacy Issues, June 21, 1999; 
Testimony of the American Council of Life Insurers Before the House Committee on Banking and Financial 
Services On The Medical Financial Privacy Protection Act, June 14, 2000. 

- 4 - 



76 


status under the FCRA. Medical information can be disclosed by a consumer reporting 
agency to an insurer only in connection with an insurance transaction and only with the 
consumer’s consent. 

The FCRA is important to insurers because it establishes a framework under 
which insurers may obtain and share consumer information which facilitates the 
widespread availability and affordability of life insurance products and services 
uniformly through out the country. For example, the Act establishes that insurers may 
obtain a consumer report in connection with underwriting insurance. The Act enables 
insurers to obtain and share information that is critical to the determination of the 
consumer’s eligibility for insurance and the appropriate premium. At the same time, the 
FCRA provides safeguards to ensure that the confidentiality of highly sensitive medical 
information will be preserved. Insurers believe that the FCRA is critical to their business. 
The act acknowledges that it is important for insurers to obtain medical information in 
connection with underwriting insurance and processing claims. At the same time, the 
FCRA recognizes the highly sensitive nature of medical information and establishes 
safeguards for consumers. 

The Gramm-Leach-Bliley Act and State Law 

Insurers also strongly support the privacy protections of Title V of the Gramm- 
Leach-Bliley Act (the “GLB Act”). Under the GLB Act, medical information is regarded 
as nonpublic personal information and is subject to the protections established by that act. 
Medical information may not be shared with an unaffiliated third party unless the 
consumer has been given a notice that the information may be shared and is provided 
with the opportunity to opt-out of such sharing. Medical information is permitted to be 
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shared without an opt-out only for operational reasons or in connection with a joint 
marketing agreement between two or more financial institutions. However, as noted 
below, state privacy laws and regulations generally require an opt- in for the sharing of 
medical information. 

The GLB Act provides that state insurance authorities are to adopt rules to 
implement and enforce the GLB Act under state insurance law. When the National 
Association of Insurance Commissioners (“NAIC”) and the states were in the process of 
developing and promulgating their rules, the ACLI expressed the view that medical 
information should be accorded additional protections in view of its highly sensitive 
nature. Accordingly, the ACLI firmly supported the heightened protections contained in 
the NAIC Privacy of Consumer Financial and Health Information Model Regulation. 
Under the Model Regulation, an insurer may not disclose health information about a 
consumer unless an authorization is obtained from the consumer. In effect, the NAIC’s 
Model Regulation requires an opt- in before medical information may be shared by 
insurers. It should be noted, of course, that like the GLB Act, the Model Regulation 
permits the disclosure of medical information in connection with operational 
requirements in order to complete the insurance transaction, as well as for other 
operational needs. 

The NAIC’s Insurance Information and Privacy Protection Model Act 

Before Congress enacted the GLB Act, the NAIC developed its Insurance 
Information and Privacy Protection Model Act (the “NAIC Model Act”). The NAIC 
Model Act requires the written authorization of the consumer before an insurer may share 
consumer medical information with another person. Information, of course, can be 
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shared in order to enable the insurer to perform business functions needed to process an 
application and to complete the insurance transaction. Under the NAJC Model Act, an 
insurer must obtain a consumer’s authorization (i.e., opt-in) before it may disclose 
medical information to a nonaffiliated party for marketing. The Model Act provides an 
added degree of protection to consumers and underscores the importance insurers attach 
to preserving the confidentiality of consumer medical information. Also, in addition to 
these NAIC model laws, many states have other laws and regulations that require insurers 
to obtain consumers’ consent before disclosing medical information relating to particular 
medical conditions. 

HIPAA 

Health insurers and long term care insurers are subject to regulations adopted by 
the Secretary of Health and Human Services under the Health Insurance Portability and 
Accountability Act of 1996 (“HIPAA”). The ability of other insurers, including life and 
disability income insurers, to obtain medical information is also subject to the HIPAA 
rules. The HIPAA rules establish a broad regulatory framework governing the use and 
disclosure of consumer health information by health care providers, such as doctors, 
hospitals, pharmacies and health plans, which include long term care insurers. Unless 
they are engaged in treatment, payment or health care operations, health care providers 
may not disclose medical information about a consumer to others, including life and 
disability insurers, as well as long term care insurers, unless they first obtain the 
authorization (i.e., opt-in) of the consumer. Similarly, unless they are engaged in 
treatment, payment, or health care operations, health insurers and long term care insurers 
may only disclose medical information about a consumer with the consumer’s 
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authorization (i.e., opt- in). The HIPAA ruies, therefore, provide another significant 
level of protection to assure that consumer medical information is handled properly. 

Conclusion 

The ACLI and its members are committed to protecting the privacy of 
consumer medical information. We believe that our exemplary record in preserving the 
confidentiality of such information demonstrates our commitment to protecting the 
privacy of our policyholders. We reiterate our strong support for strict protections for 
medical records confidentiality, including support for prohibiting the sharing of medical 
information in connection with an extension of credit . We appreciate the opportunity to 
testify today, and I would be pleased to address any questions the Subcommittee may 
have. 
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Confidentiality of Medical Information 
Principles of Support 

Life, disability income, and long-term care insurers have a long history of dealing with 
highly sensitive personal information, including medical information, in a professional 
and appropriate manner. The life insurance industry is proud of its record of protecting 
the confidentiality of this information. The industry believes that individuals have a 
legitimate interest in the proper collection and use of individually identifiable medical 
information about them and that insurers must continue to handle such medical 
information in a confidential manner. The industry supports the following principles: 

1 . Medical information to be collected from third parties for 
underwriting life, disability income and long-term care insurance 
coverages should be collected only with the authorization of the 
individual. 

2. In general, any redisclosure of medical information to third parties 
should only be made with the authorization of the individual. 

3. Any redisclosure of medical information made without the 
individual's authorization should only be made in limited 
circumstances, such as when required by law. 

4. Medical information will not be shared for marketing purposes. 

5. Under no circumstances will an insurance company share an individual’s 
medical information with a financial company, such as a bank, in 
determining eligibility for a loan or other credit - even if the insurance 
company and the financial company are commonly owned. 

6. Upon request, individuals should be entitled to learn of any 
redisclosures of medical information pertaining to them which may 
have been made to third parties. 

7. All permissible redisclosures should contain only such medical 
information as was authorized by the individual to be disclosed or 
which was otherwise permitted or required by law to be disclosed. 
Similarly, the recipient of the medical information should 
generally be prohibited from making further redisclosures without 
the authorization of the individual. 
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8. Upon request, individuals should be entitled to have access and correction 
rights regarding medical information collected about them from third parties 
in connection with any application they make for life, disability income or 
long-term care insurance coverage. 

9. Individuals should be entitled to receive, upon request, a notice which 
describes the insurer's medical information confidentiality practices. 

10. Insurance companies providing life, disability income and long-term care 
coverages should document their medical information confidentiality policies 
and adopt internal operating procedtres to restrict access to medical 
information to only those who are aware of these internal policies and who 
have a legitimate business reason to have access to such information. 

11. If an insurer improperly discloses medical information about an individual, it could 
be subject to a civil action for actual damages in a court of law. 

12. State legislation seeking to implement these principles should be uniform. 

Any federal legislation to implement the foregoing principles should preempt 
all other state requirements. 
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Mr. Chairman and Distinguished Members of the Subcommittee: 

My name is Harold Morgan. I am Senior Vice President, Human Resources for Bally 
Total Fitness Corporation. I am pleased to appear before you today on behalf of LPA, the 
HR Policy Association, to discuss the critical role played by employment background 
screening in today’s workplace and other important issues concerning the Fair Credit 
Reporting Act. 

Bally Total Fitness Corporation is the largest and only nationwide, commercial 
operator of fitness centers, with approximately four million members and nearly 430 
facilities located in 29 states, Canada, Asia and the Caribbean. We have approximately 
23,000 employees, of whom over 5,000 are personal trainers and 1,000 are employed in 
our child care centers. 

LPA, the HR Policy Association, is a public policy advocacy organization 
representing senior human resource executives of more than 200 leading employers doing 
business in the United States. LPA provides in-depth information, analysis, and opinion 
regarding current situations and emerging trends in employment policy among its 
member companies, policy makers, and the general public. Collectively, LPA members 
employ over 19 million people worldwide and over 12 percent of the U.S. private sector 
workforce. 

I appreciate the opportunity to appear before you today to discuss the application of 
the Fair Credit Reporting Act to employment background checks and investigations of 
sexual harassment and other serious workplace misconduct. The Fair Credit Reporting 
Act applies to most employment background checks by large employers such as my 
company, because a consumer reporting agency is typically used to perform the 
screening. Yet, employment screening is an aspect of FCRA that is often overlooked, as 
most of the focus of the policy debate centers on credit records and other consumer 
financial information. 

While credit records can be an important component of an employment background 
check, depending on whether the position involves some financial responsibilities, the 
reality is that the vast majority of employment background checks are more focused upon 
information of far greater relevance to most positions — employment history, educational 
background, professional credentials, and, most importantly, criminal history. It is 
important for Congress to be aware that all of these aspects of background screening are 
regulated by a statute originally intended and designed to regulate the sharing of personal 
financial information. 

These regulations can have an enormous impact, especially in the service sector. 
Businesses in the service sector generally have greater turnover and, as a result hire many 
employees. By way of example, last year my company hired over 10,000 new employees. 

Generally speaking, we urge your Subcommittee to recognize the enormous pressures 
and expectations imposed on today’s employer with regard to seeking to ensure that 
individuals in their workplace do not pose a threat to their co-workers, customers, and the 
public at large. If any changes to FCRA are to occur, they should facilitate the ability of 
employers to address these needs rather than hindering it with new restrictions. 
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The Importance of Background Checks 

Since 1996, when significant new employer obligations were added to FCRA, the 
priority attached to employment background checks by employers, employees and the 
public generally has changed dramatically. While the horrific events of September 1 1 
have clearly played a part in this, that is not the entire story. A decade of disturbing 
headlines involving workplace violence, coupled with a commitment by companies to 
stamp out sexual and racial harassment in the workplace, had already prompted 
employers to exercise greater care. Meanwhile, soon after September 1 1 , a wave of 
corporate scandals, where the misdeeds of a few key employees brought corporate giants 
to their knees, demonstrated the need to exercise this caution at all levels of the corporate 
domain. 

In my own company, we have several employee groups where caution must be 
"exercised" (so to speak) from a screening and hiring perspective. In the nature of their 
work, our personal trainers have a certain amount of physical contact with their clients as 
well as having access to our locker rooms. We certainly need to avoid hiring anyone that 
may have a tendency toward violence, sex offenses or other actions that would pose a 
serious threat to their co-workers or our customers. In addition, our supervisors have 
considerable access to personal client information that must be accorded the utmost 
confidentiality. Finally, the sensitivities regarding our child care attendants go without 
saying. Clearly, all of these employees need to be thoroughly screened. 

Employers conduct background checks on potential and current employees in order to 
screen out candidates who pose a greater-than-average threat to the safety and security of 
the workplace. Examples of why background checks are necessary, unfortunately, are 
not hard to find. Indeed, the newspapers are full of stories detailing workplace violence, 
fraud, sexual and racial harassment, or other problems that may have been avoided with a 
background investigation. In the last few years, several episodes of workplace violence 
have highlighted this issue. Meanwhile, the Occupational Safety and Health 
Administration (OSHA) reports that homicide was the second leading cause of 
occupational fatalities in 200 1. 1 

Examples of why screening can be a critical part of maintaining a safe work 
environment, unfortunately, are not hard to come by. In one recent case, a maintenance 
employee in an apartment building, strangled a 20-year-old mother. As part of his work, 
the maintenance employee had access to the keys for all the apartments and he used those 
keys to unlawfully enter the victim’s residence. Had the apartment complex ran a 
background check, it would have discovered he had previously been convicted of rape, 
armed robbery, burglary, robbery by force, and credit card fraud and that there was an 
outstanding warrant for his arrest. 2 

Another area where background checks can be a useful tool is in the prevention of 
identity theft, which has been a major focus of the FCRA hearings this year. An example 
of how a background check can help curb identity theft is provided by an incident 
involving First Interstate Bank prior to its acquisition. In 1994, First Interstate permitted 
an individual to work for three months in its Visa credit-card-collections division before 
terminating him after a background check revealed he had been convicted of grand theft 
in California in 1981. 3 During those three months, however, the employee used a 
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customer’s confidential information to obtain credit cards and take out high-interest-rate 
loans, accumulating a total of $50,000 in debt. 4 The customer in turn, sued the First 
Interstate for $150,000. 5 

A similar identity theft case shows the importance of a thorough background check. 
An individual who was convicted in 1996 of two felony counts related to identity theft in 
Ohio reused the identity he had stolen in that case to apply for the position to oversee 
pension funds with the state Public Employee Retirement Fund. 6 The state had run a 
limited background check that did not reveal the false identity or convictions. 7 After a 
tip, however, a newspaper engaged in a more thorough background investigation and 
discovered his real identity and criminal past. 8 Not surprisingly, after the incident, the 
Governor called for a review of the state’s background check procedures. 9 

Thus, it is not surprising that the public not only supports — but also in many cases 
expects — employers to conduct criminal background checks. Indeed, according to a 2002 
Harris poll conducted for Privacy & American Business, the vast majority of employees 
found investigations into a job candidate’s work history (92 percent) and/or criminal 
convictions (91 percent) acceptable, and a majority believe that employers should be able 
to examine arrest records without convictions. 10 The poll also found that 53 percent of 
employees want their employers to conduct more detailed background checks. 11 

Meanwhile, in response to this heightened public concern, the government 
increasingly requires that certain employers conduct background checks. For example, in 
sensitive industries — day care, transportation, ports, security, financial services and 
nuclear power — the government either has instituted or is seriously considering mandated 
background checks. Most recently, under proposed rules currently pending before EPA, 
contractors performing work for EPA on federally-owned, leased or occupied facilities 
would be required to conduct background checks and make suitability determinations 
regarding employees working at those facilities. 12 In addition, in an action required by 
the USA PATRIOT ACT, the Transportation Security Administration and DOT have 
issued interim regulations, effective immediately, requiring background checks for 
holders of commercial drivers licenses with a hazardous materials endorsement. 13 

This list is likely to grow as several Members of Congress on both sides of the aisle 
have introduced numerous bills that would require employers in specific industries to 
perform background checks for certain occupations. A partial listing includes: H.R. 1 8, 
by Rep. Judy Biggert (R-IL), requiring background checks for employees of certain 
Medicare providers; H.R. 439, by Rep. Rob Andrews (D-NJ), requiring that businesses 
“that send employees into people’s homes” perform background checks on those 
employees; H.R, 364, by Rep. Darlene Hooley (D-OR), requiring background checks on 
drivers providing Medicaid medical assistance transportation services; and S. 350, by 
Sen. Hillary Clinton (D-NY), requiring background checks on employees who handle 
radioactive materials. 

In some instances, the government does not explicitly require background checks, but 
encourages them by permitting “negligent hiring” suits against employers that fail to 
conduct adequate checks. Under a negligent hiring claim, a plaintiff may recover against 
an employer for injuries caused by an employee whom the employer would not have 
hired had it conducted an adequate background check. 
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LPA Background Check Protocol 

As the importance of employment background screening has grown, we also 
recognize the need for employers to maintain the confidentiality and ensure the accuracy 
of the highly sensitive and private information about prospective and current employees 
gained through background checks and employee investigations. Employers are 
responsive to this need and take the utmost care in developing and implementing 
practices that maintain confidentiality and accuracy of information gathered from 
background checks and investigations. 

A description of how LPA member companies approach this sensitive area is 
provided by the LPA Background Check Protocol. The Protocol was authored by the 
LPA Workplace Security Advisory Board, which is composed of the top security officials 
of LPA member companies. The Protocol articulates the best practices of companies that 
have had considerable experience with background checks and illustrates the complexity 
of the issues in this area. Those issues — which involve matching the unique 
characteristics of the applicant or employee with the distinctive components of the job in 
question — do not lend themselves to black letter prescriptions. Thus, the Protocol, like 
voluntary guidelines, acts as an effective guidepost for employers without imposing rigid, 
inflexible and ineffective restrictions. 

Application ofFCRA to Employment Background Checks 

Employment background checks are regulated by the Fair Credit Reporting Act 
whenever the employer uses a consumer reporting agency (CRA) to collect the 
information. Because few large employers have the resources to conduct their own 
background checks, it is quite common to use CRAs to ensure a thorough and accurate 
search. Regulation by FCRA has two implications for an employer: 1) procedural 
requirements pertaining to the initiation of the background check and use of the 
information gathered; and 2) limits on the reporting of information by the CRA to the 
employer. 

Procedural Requirements . In terms of procedural requirements, the employer must: 

• notify and obtain consent from the employee or applicant before 
initiating a covered background check; 14 

• before receiving the background check, certify to the CRA that it has 
provided notice and received consent and will provide a copy of the 
background check and description of FCRA rights before taking 
adverse action; 15 

• before taking an adverse employment action ( i.e ., termination, 
demotion, etc.) based on the background check, provide the applicant 
or employee with a copy of the background check and a summary of 
his or her rights under FCRA (this will be provided by the CRA); 16 
and 

• after taking an adverse action, provide the individual with an “adverse 
action notice.” The notice may be provided orally, in writing, or 
electronically, but must include: 
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- the name, address, and phone number of the CRA (including 
any toll-free telephone number established by a national CRA) 
that supplied the background check; 

- a statement that the CRA did not make the decision to take the 
adverse action and cannot give specific reasons for it; and 

- a notice of the individual’s right to dispute the accuracy or 
completeness of any information the CRA furnished, and his or 
her right to an additional free consumer report from the agency 
upon request within 60 days;' 7 

• if the individual disputes the accuracy or completeness of the 

information in his or her file, the CRA shall reinvestigate the matter 
free of charge and record the status of the disputed information within 
30 days. 18 

As far as background checks are concerned — as opposed to workplace misconduct 
investigations which we will discuss later — we are not aware of any problems LPA 
member companies have had in complying with these procedural requirements. Because 
of the critical nature of employment background checks described at the outset, we would 
strongly caution against imposing any further restrictions that would only impede the 
process of obtaining essential information in a timely manner. 

Limits on Information . The second major limitation of FCRA on employment 
background checks pertains to the information that may be provided to the employer. 
FCRA provides that covered background check reports for employees or applicants 
expected to earn less than $75,000 a year may not contain information regarding arrest 
records, civil suits or judgments, or other adverse information that predates the report by 
more than seven years or the applicable statute of limitations — whichever is longer. 19 
Conviction records are excluded from this prohibition. 

The seven-year time frame is a product of the statute’s primary focus upon personal 
financial information, where seven years is a very long period of time. We would ask 
whether it makes sense to apply the same time frame to criminal records. Most 
employers are going to discount an arrest without a conviction that is more than seven 
years old anyway, but this may not always be the case. If a position involves contact 
with children and the applicant was arrested more than seven years previously for child 
molestation, even if it was beyond the statute of limitations, shouldn’t the employer at 
least have that information to make an informed decision? In these instances, the 
employer could allow the applicant to demonstrate that he or she was exonerated on the 
basis of the facts and not some procedural technicality. 

If your Subcommittee wishes to support the ability of employers to conduct 
background checks in order to enhance workplace security, we believe the seven-year 
limit on all non-financial information — or at the very least criminal histories — should be 
removed or at least extended. 
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Proliferation of State Laws Inhibiting Access to Criminal Records 

While the seven-year limit on adverse information in FCRA poses some obstacles to 
a thorough background check, this is not nearly as serious as a recent trend among states 
laws posing even greater restrictions. Several states completely prohibit or severely limit 
an employer's access to arrest and conviction information. Most of these prohibitions are 
contained in state discrimination laws, although some are part of state credit reporting 
laws (i.e., state versions of FCRA). 

State Discrimination Laws . The prohibitions pursuant to state discrimination laws are 
a derivative of several federal courts rulings that using arrest or conviction records as an 
absolute bar to employment may, in certain circumstances, have a disproportionate or 
“disparate” impact on select minorities and therefore violate Title VII of the Civil Rights 
Act of 1964 (Title VII) unless the employer can show that such action is “job related.” 20 

Unfortunately, many states are using the logic behind these decisions to prohibit 
employers from ever inquiring about a candidate’s arrest record — even where there is no 
evidence that the employer’s inquiry will lead to unlawful employment discrimination. 21 
Some states take it a step further by limiting an employer’s ability to inquire into 
convictions — again, even where there is no evidence that the inquiry will lead to unlawful 
discrimination. 

Yet, even the Equal Employment Opportunity Commission (EEOC) has 
acknowledged that arrest records may provide information important to the employee 
selection process. 22 In a guidance document, the Commission provided examples where 
information gained from an arrest record would justify refusing to hire a candidate. 23 In 
one of the examples, the Commission said a company would be justified for refusing to 
hire someone as a bus driver if the person had been arrested two years ago for driving 
while intoxicated, but was acquitted on procedural grounds. 24 Similarly, the Commission 
found it acceptable for a school to refuse to hire as a teacher a candidate who was 
arrested for statutory rape of a student while working at another school, even though 
charges were dropped because it was discovered the student had just turned 18. 25 

A recent case involving a high school here in Washington, D.C. illustrates the 
potential danger of ignoring an arrest record for a sensitive position. A former Ballou 
High School counselor has been charged with forcing a Ballou student to have sex with 
him more than 10 times over a two-year period. A police affidavit alleges that the 
counselor told the student he would change her grades or fail her if she refused to have 
sex with him. According to court records, the same individual was charged in 1996 with 
raping a 15-year-old girl in August 1992. The case was tried in D.C. Superior Court in 
March 1997 and ended in a hung jury with no retrial. 

School officials point out that, because there was no conviction, D.C. regulations 
prohibited them from taking the earlier criminal case into account when the individual 
applied to be a school attendance counselor in 1 999. It is worth noting that the same 
individual received probation in 1988 for two charges of attempted drug possession. 
School officials indicate, even for a school counselor, that information also could not 
have been used to bar him from employment with D.C. schools because drug convictions 
more than 10 years old or that involve only marijuana do not preclude employment. 26 
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These examples show that arrest records can reveal important information. Indeed, 
just because a prosecutor could not prove beyond a reasonable doubt that the alleged 
violation occurred does not definitely resolve whether some misconduct did not occur, 
particularly in light of limitations on evidence in criminal trials. In fact, even in the 
context of arrest records, the EEOC has specifically rejected the notion that federal 
discrimination law requires an employer to apply the beyond a reasonable doubt standard 
in order to base an employment decision on an candidate’s arrest record. In guidance, it 
has noted that the employer may use an arrest record as a basis of an employment 
decision without conducting “an informal ‘trial’ or extensive investigation to determine 
an applicant’s or employee's guilt or innocence.” 27 

Nevertheless, many state equal employment opportunity laws prohibit employers 
from seeking information on arrest records. Indeed, at least 1 1 states have statutes 
explicitly prohibiting arrest records inquiries, 28 and as many as 12 states have issued 
administrative guidance declaring the inquiries unlawful. 29 Other states only permit 
arrest inquiries if the employer shows business necessity. 30 

Some states even limit inquiries into conviction records, such as Alaska, the District 
of Columbia (as noted), and Ohio, which prohibit inquiries into certain convictions more 
than 10 years old. 31 Other states impose different limitations. For example, Hawaii only 
permits inquiries into convictions for candidates who have been extended a conditional 
offer of employment. 32 California prohibits requests into marijuana convictions over two 
years old. 33 Similarly, Massachusetts prohibits inquiries into certain first-time 
convictions — including misdemeanor drunkenness, simple assault, and speeding. 34 Some 
states only allow inquiring into convictions when the employer proves it is job related. 35 

State Credit Reporting Laws and Other Laws . Several states impose limitations on 
consideration of criminal records through their own credit reporting laws. The state laws, 
unfortunately, often impose different obligations than FCRA, thus creating a patchwork 
of requirements employers must navigate to conduct a nationwide background check. 36 

For example, in California, Montana, Nevada, and New Mexico, a reporting agency 
may not report arrests or convictions more than seven years old. 37 California, New 
Mexico, and New York prohibit a reporting agency from reporting any arrest that does 
not result in a conviction. 38 Other states, such as Kansas, Maryland, Massachusetts, and 
New Hampshire, 39 prohibit consumer reporting agencies from reporting on arrests or 
convictions more than seven years old if the employee or applicant is expected to earn 
less than $20,000 a year. New York and Texas have similar laws but set the salary level 
at $25,000 and $75,000, respectively. 40 

If your Subcommittee wishes to support the ability of employers to conduct 
background checks in order to enhance workplace safety, we believe you should consider 
a safe harbor against prosecution under state law limitations on criminal information for 
employers who have complied with the terms of FCRA. 

Inadequacy of Existing Databases 

Even where an employer to is allowed to consider criminal data, there is the problem 
of access to such data. While FCRA itself cannot correct this problem, any discussion of 
the impact of FCRA on background checks would not be complete without at least noting 
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the problem. While workers in certain industries, such as those employed at nuclear 
plants or in U.S. ports, are subject to national and international background checks run 
through the Justice Department — employers in most industries do not have access to 
federal databases and must run nationwide background checks by accessing each state 
database either through their own resources or through a consumer reporting agency. 41 

The federal government maintains various databases with criminal history 
information, the most comprehensive of which is the National Crime Information Center 
(NCIC), which is maintained by the FBI. Yet, access to these databases is limited to law 
enforcement and certain other governmental personnel, even though to a large extent the 
data in the databases is a matter of public record. Congress has enacted laws permitting 
some employer access to criminal history records through the FBI or state agencies but 
this access is narrowly limited to certain occupations. 

Thus, for the vast majority of positions, employers and the consumer reporting 
agencies they use are left with a jurisdiction-by-jurisdiction search, which is not always 
sufficient. For example, in a recent case in Virginia, a former employee of the Williams 
School, was convicted of videotaping nude boys from the school. 2 The school only ran a 
background check in Virginia which, of course, failed to turn up a previous conviction for 
child molestation in North Carolina. 

While we recognize that any changes in access to federal criminal databases is 
outside the jurisdiction of your committee, we would encourage Congress to look into 
this problem. Since FCRA encompasses information about criminal records, it would 
certainly be relevant as part of any new legislation amending FCRA to authorize a study 
of the effects of the current prohibition against employers accessing these records for 
employment purposes. 

Application of FCRA to Sexual Harassment and Other Workplace Misconduct 

Investigations 

Your Subcommittee’s consideration of the reauthorization of FCRA provides an 
opportunity to address a serious misinterpretation of the statute by the Federal Trade 
Commission with regard to certain workplace misconduct investigations. In 1999, the 
FTC issued an opinion letter, known as the Vail letter, which states that if an employer 
uses experienced outside investigators, such as private investigators, consultants, or law 
firms, to investigate workplace misconduct, the investigators are considered “consumer 
reporting agencies” (CRAs) under FCRA and, therefore must comply with that Act’s 
notice, disclosures and other requirements. 43 

Unfortunately, an investigator cannot possibly conduct an effective investigation into 
many forms of serious workplace misconduct while also complying with these 
requirements. For example, as is illustrated in a case we describe below, a board of 
directors cannot effectively investigate its CEO and other high-level executives for 
“cooking the books” if it must first inform and obtain consent from the subjects of the 
investigation. Nor could an employer conduct an effective investigation into sexual or 
racial harassment if witnesses knew that the employer would have to readily reveal to the 
accused a report in which he or she could easily identify those witnesses. 44 
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Thus, the FTC interpretation effectively deters employers from using outside 
organizations to conduct investigations. Yet state and federal laws strongly encourage 
employers to use experienced and objective third parties to investigate suspected 
workplace misconduct, such as workplace violence, fraud, employment discrimination 
and harassment, securities violations, and theft. Moreover, in many cases an employer 
may need to use an outside investigator because the technical nature of the alleged 
misconduct requires an expert investigator or the investigation is of a high-level official 
and outside objectivity is needed. In other cases, the employer may simply lack the 
resources to conduct an in-house investigation. 

Even the FTC has acknowledged the problem caused by the Vail letter. 45 
Nevertheless, the Commission has refused to rescind the Vail letter, claiming again in its 
testimony earlier this month that it is a correct interpretation of the statute and that 
Congress must amend FCRA in order to fix the problem. Indeed, the Commission has 
maintained this position despite change in leadership and in the face of overwhelming 
criticism of the legal reasoning behind the Vail letter, particularly with respect to 
Congressional intent and legislative history. 46 

The few courts that have addressed the issue have neither embraced nor squarely 
rejected the Vail letter. While most have expressed doubt over the validity of the Vail 
letter interpretation, they have nonetheless disposed of the case on technical issues not 
directly related the to FTC’s interpretation. 

In one noteworthy case where this issue has yet to be resolved, Rugg v. Hanacf 1 the 
company hired a consulting firm to investigate possible problems with its finances after 
the city of New York expressed concern following an audit. Soon thereafter, the board of 
directors discharged the company’s executive director. Relying on the Vail letter, the 
executive director sued the company for failing to follow FCRA’s notice and disclosure 
requirements. Although the court expressed reservations about the validity of the Vail 
letter interpretation, it nonetheless denied the employer’s motion to dismiss and ordered 
more discovery on the issue of whether the consulting firm regularly conducted such 
investigations, and therefore is a CRA within the meaning of the statute. 48 

Bipartisan legislation has been introduced — H.R. 1543, the Civil Rights and 
Employee Investigation Clarification Act, by Reps. Pete Sessions (R-TX) and Sheila 
Jackson-Lee (D-TX) — which would exempt workplace misconduct investigations from 
FCRA as long as certain conditions are met. H.R. 1543 would amend FCRA to exclude 
from the definition of a “consumer report investigation” an investigation concerning: (1) 
suspected misconduct relating to employment, or (2) compliance with the law, the rules 
of a self-regulatory organization, or any pre-existing written policies of the employer. 

The exemption would not include investigations of an employee’s credit, and the results 
of the investigation could only be given to the employer or its agent, a government 
official, a self-regulatory organization, or as otherwise required by law. For the 
exemption to apply, after taking any adverse action based on information in the 
investigative report, the employer would be required to provide to the employee a 
summary of the report containing the nature and substance of the investigation, but not 
the sources of the information. The effect of this exclusion is that employers would not 
need to get consent from an employee before conducting an investigation or disclose the 
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details of the investigation, the two major impediments FCRA imposes on workplace 
misconduct investigations. 

While we would prefer legislation that would exclude altogether from FCRA 
workplace misconduct investigations that do not involve a CRA background check, H.R. 
1543 represents a workable solution and we commend Reps. Sessions and Jackson-Lee 
for their leadership on this issue. We urge you to include this measure as part of any 
FCRA amendments enacted in this Congress, if not as a separate bill. 

Conclusion 

In sum, the reauthorization of FCRA occurs at a time when employers are under 
considerable pressure from their stakeholders to provide a secure workplace. We urge 
that any action you take, if anything, help employers address those critical needs. We 
have made several suggestions in this testimony for improvements to FCRA and we look 
forward to working with you. Thank you for the opportunity to present our views. 
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Mr. Chairman, Members of the Subcommittee my name is Chris Petersen. I am a partner in the 
law firm of Morris, Manning & Martin, LLP and co-chair of the firm’s Privacy and Security 
Practice Group. Over the past three years the firm has provided privacy advice to over 50 
different insurance-related entities including insurance companies, agencies, trade associations 
and business associates or service providers. 

I am testifying today on behalf of one of those clients, the Health Insurance Association of 
America (“HIAA”). HIAA is the nation’s most prominent trade association representing the 
private health care system. Its nearly 300 members provide the full array of health insurance 
products, including medical expense, long-term care, dental, disability, and supplemental 
coverage to more than 1 00 million Americans. 

My testimony today will focus on the continuum of federal and state privacy laws and the 
interplay among these various laws. The testimony will only focus on the major privacy laws 
regulating the insurance industry. These laws include the federal Fair Credit Reporting Act; 
HIPAA Privacy Rule, the Gramm-Leach-Bliley Act; NAIC/State Privacy Information Acts; and 
State-Based Information or Event Specific Privacy Laws. 

The ordering of these laws generally represents the impact that these laws have on the insurance 
industry. However, subjective ranking of the law’s impact is influenced by several factors. For 
instance, a single state health plan with very little state regulation might find the HIPAA Privacy 
Rule to have the greatest impact on its operation. On the other hand, large insurers implementing 
national, uniform privacy policies and procedures could find that individual state specific laws 
probably create the greatest challenges. 
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When analyzing privacy laws insurance entities must begin by answering some initial questions. 
First, what types of entities does the law regulate: financial institution, insurance institution, 
health plan, licensee of a state insurance department, etc 

Second, insurance entities must determine what kind of information is the law protecting: 
financial, medical, personal, protected health information, specific health information, etc. Each 
law, and quite often-individual states, takes unique approaches to regulating the uses and/or 
disclosures of the information that insurance entities gather and possess. The following is a 
summary of the major laws that regulate insurance entities uses and disclosure of information. 


Federal Fair Credit Reporting Act 
(“FCRA”) 


FCRA regulates “consumer reporting agencies” and the uses of “consumer reports.” Under the 
FCRA, a consumer reporting agency is an entity “which, for monetary fees, dues, or on a 
cooperative nonprofit basis, regularly engages in whole or part in the practice of assembling or 
evaluating consumer credit information or other information on consumers for the purposes of 
furnishing consumer reports to third parties, and which uses any means or facility of interstate 
commerce for the purpose of preparing or furnishing consumer reports.” For insurance purposes, 
the key component of the definition is whether one “furnishes consumer reports to third parties.” 

A consumer report is any communication of any information that bears “on a consumer’s credit 
worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or 
mode of living which is used or expected to be used or collected in whole or in part for purposes of 
servicing as a factor in establishing the consumer’s eligibility for... insurance to be used primarily for 
personal, family or household purposes.” The statute, however, contains two key exceptions to the 
definition of a consumer report. 

First, the term consumer report does not include a report containing information solely as to 
transactions or experiences between the consumer and the person making the report so long as the 
information is only shared among companies related by common ownership or affiliated by 
corporate control. Second, a consumer report does not include the communication of “other 
information” among affiliates if the sharing of the “other information” is disclosed to the consumer 
and the consumer is given the opportunity, before the information is shared, to direct that such 
information not be shared, i.e., they must be granted the right to “opt out” of the information 
sharing. Note that these exceptions only apply to the sharing of information with affiliates. The 
exceptions are not available if the entity shares the information with non-affiliated third parties. 

The FCRA allows limited sharing of consumer reports, i.e., the sharing of information that is not 
related to the entity’s own transactions or experiences or the sharing of information for which the 
entity has not provided the right to opt out of the sharing. For insurance purposes, consumer reports 
may only be furnished to “a person who intends to use the information in connection with the 
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underwriting of insurance involving the consumer” or to “a person who otherwise has a legitimate 
business need for the information in connection with a business transaction that is initiated by the 
consumer or to review an account to determine whether the consumer continues to meet the terms of 
the account.” However, insurers and other entities that qualify as a consumer reporting agency may 
not share, without authorizations, consumer reports that contain medical information. 

As the Committee is aware, important provisions of the FCRA are up for reauthorization. The 
HIAA supports the reauthorization of the FCRA. 


Standards for Privacy of Individually Identifiable Health Information 
(“HIPAA Privacy Rule”) 

As a general rule, those insurers that meet the definition of a health plan may not use or disclose 
protected health information, except as permitted or required by the HIPAA Privacy Rule. The 
HIPAA Privacy Rule only mandates two types of disclosures: 1) disclosures to individuals who 
have requested access to their protected health information under the Privacy Rule’s access 
requirements; and 2) when required by the Secretary of Health and Human Services to 
investigate or determine the health plan’s compliance with the Privacy Rule. The HIPAA 
Privacy Rule does not mandate any uses of protected health information. 

Although not mandated by the HIPAA Privacy Rule, the Privacy Rule permits health plans to 
make disclosures that are required by other applicable law. These disclosures are not 
“mandatory disclosures” under the Rule, but obviously health plans must comply with the 
provisions of these other laws regarding required disclosures. 

In addition, the HIPAA Privacy Rule provides for six instances under which a health plan is 
permitted to use or disclose protected health information. The permitted uses and disclosures 
are: 1) to the individual; 2) for treatment, payment or health care operations; 3) incidental uses 
and disclosures that occur as a byproduct of a permitted use or disclosure; 4) pursuant to an 
authorization; 5) disclosures related to health care facility directories and disclosures to persons 
involved in an individual’s care; and 6) other enumerated uses and disclosures for certain public 
policy purposes. Each of these permitted disclosures in discussed in more detail below. It does 
not appear that any of these permitted uses or disclosures would allow a health plan to disclose 
protected health information to another financial institution for use in that institution’s credit 
granting process. 

If an individual specifically seeks access to their information under the HIPAA Privacy Rule’s 
access and accounting provisions, health plans are generally required to disclose the information 
to the individual. All other disclosures to individuals are permissive; it is the health plan’s 
decision as to whether to disclose the information. 
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Health plans may use and disclose protected health information for “treatment”, “payment” and 
“health care operations”. Health care operations encompass a fairly broad category of uses and 
disclosures necessary to administer a health plan’s business and provide benefits to covered 
individuals. Many of a health plan's routine uses and disclosures fall under the health care 
operations umbrella. Examples include underwriting, reinsuring, medical review, legal services, 
fraud detection, customer service, resolution of internal grievances, creating, renewing and 
replacing coverage, selling or transferring business, etc 

Payment also encompasses a fairly broad category of uses and disclosures. It includes activities 
undertaken to obtain premiums, determining responsibility for coverage and provision of 
benefits, coordination of benefits, subrogation of health claims, billing, claims management, 
medical necessity determinations and utilization review. Health plans generally will not be 
involved in treatment activities. 

The H1PAA Privacy Rule permits certain incidental uses and disclosures of protected health 
information that occur as a result of a use or disclosure otherwise permitted by the Rule. An 
incidental use or disclosure is a secondary use or disclosure that cannot reasonably be limited in 
nature, and that occurs as a by-product of an otherwise permitted use or disclosure. However, an 
incidental use or disclosure is permissible only to the extent that the health plan has applied 
reasonable safeguards and has implemented, if applicable, the minimum necessary standards. 
An example of an incidental disclosure is when someone walks into an office and overhears a 
telephone conversation. 

Health plans may use or disclose protected health information pursuant to a valid authorization. 
If a health plan uses or discloses information pursuant to an authorization, the plan’s uses and 
disclosures of the protected health information must be consistent with the authorization. 

Under some circumstances, health plans may use or disclose protected health information to a 
family member, other relative or a close personal friend of the individual or other person 
identified by the individual who is involved in the individual’s if the information is directly 
relevant to the person’s involvement with the individual’s care or payment related to the care. 
An example might be when a spouse calls regarding payment under the other spouse’s insurance 
coverage and the other spouse does not object to the disclosure. Health plans may also use or 
disclose information to notify a family member, personal representative or any other person 
responsible for the care of the individual of the individual’s location, general condition or death. 

In order to make these uses or disclosures, the health plan must, if the individual is present or 
was available prior to the use or disclosure, either 1) obtain the individual’s agreement, 2) 
provide the individual with an opportunity to object (health plans may not make the disclosure if 
the individual objects) or 3) reasonably infer from the circumstances that the individual does not 
object to the disclosures. If the individual is not present or the opportunity to agree or object 
cannot practicably be provided, health plans may still make the disclosure if they determine it is 
in the individual’s best interest to make the disclosure. 
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The HIPAA Privacy Rule specifically states that the following additional types of uses and /or 
disclosures are permitted without an authorization: 1) uses and disclosures required by law; 2) 
uses and disclosures for public health activities; 3) disclosures about victims of abuse, neglect or 
domestic violence; 4) uses and disclosures for health oversight activities; 5) disclosures for 
judicial and administrative proceedings; 6) disclosures for law enforcement purposes; 7) uses and 
disclosures regarding decedents such coroners and funeral directors; 8) uses and disclosures for 
organ and tissue donations; 9) uses and disclosures for research purposes; 10) uses and 
disclosures to avert a serious threat to health or safety; 11) uses and disclosures for specialized 
government functions such as the military or secret service; and 12) disclosures for workers’ 
compensation coverage purposes. 

I do not believe that the HIPAA Privacy Rule’s permitted disclosures would allow a health plan 
to disclose health information to another financial institution in order for that financial institution 
to make credit decisions regarding the individual that is the subject of the information without 
the individual’s signed authorization. 

The HIPAA Privacy Rule’s provisions regarding the application of the minimum necessary 
standards do not apply to uses and disclosures of protected health information made to the 
individual, made pursuant to an authorization, uses and disclosures that are required by law or 
uses and disclosures that are required for compliance with the HIPAA Privacy Rule. All other 
permissive uses and disclosures are subject to the Privacy Rule’s minimum necessary 
requirements. 

The HIPAA Privacy Rule provides that any privacy standard or requirement under the Privacy 
Rule that is “contrary to a provision of state law preempts the provision of state law. The 
HIPAA Privacy rule defines “contrary” as 1) a state law that would make it impossible for a 
health plan to comply with both state and federal requirements or 2) a state requirement that 
makes creates an obstacle for health plans to meet the objectives of the HIPAA Privacy Rule. 

The are several important exceptions to the HIPAA Privacy Rule state preemption requirement 
that health plans must consider when trying to determine whether to apply federal vs. state law. 
The most important of these exceptions is that the HIPAA Privacy Rule will not preempt any 
state law that relates to the privacy of health information that is “more stringent” that the 
Privacy Rule. 

The HIPAA Privacy Rule provides some guidance as to when a state law is more stringent that 
the Privacy Rule. Two important areas where a state law regarding a use or disclosure will be 
more stringent when the state law meets on of the following criteria: 

1 . The state law prohibits or restricts a use or disclosure which would otherwise be 
permitted under the federal rules; or 

2. The state law provides greater rights of access and amendments. 
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The Privacy Rule also includes a catchall category that state law is more stringent when it 
provides greater privacy protection for the individual. 


Privacy of Consumer Financial and Health Information Regulation 
(“Model GLBA Regulation”) 

In 1999 Congress, by enacting GLBA, established a statutory framework under which all 
financial institutions are required to protect the privacy of their customers’ nonpublic personal 
information. Under GLBA state insurance authorities are charged, under state insurance law, 
with enforcing GLBA’s privacy requirements with respect to “any person engaged in providing 
insurance...” In order to assist state insurance officials in enforcing GLBA’s privacy 
requirements, the NAIC drafted the Model GLBA Regulation as a model for states to adopt. A 
significant majority of states adopted privacy rule based on the Model GLBA Regulation. 

The model provides that before an insurance entity discloses any nonpublic personal financial 
information about an individual to a nonaffiliated third party, the insurance entity must first give 
the individual the opportunity to say he/she does not want his/her financial information to be 
disclosed. This is known as the individual’s “opt out” right. In general terms, the regulation 
states that before an insurance entity can share a person’s information the insurance entity must 
do the following: 

• Give the individual a privacy notice; 

• Give the individual an opt out form; and 

• Give the individual a reasonable period of time (in most cases 30 days) to decide 
whether he/she wants to opt out. 

Insurance entities are only permitted to disclose the information if the individual does not opt 
out. 

There are important exceptions to the Model GLBA Regulation’s general requirement. The first 
exception allows insurance entities to share information related to insurance functions and the 
public good. Examples include; 

• Disclosing information to protect against or prevent fraud; 

• Providing information to rating agencies; 

• Replacing group coverage; 

• Disclosing information as part of a sale or merger; 

• Complying with federal, state or local law; 

• Responding to a subpoena or summons; and 

• Responding to judicial or regulatory authorities with jurisdiction over your 
business. 
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The second exception allows insurance entities to disclose information for processing and 
servicing transactions that have been requested by the insurance entity’s consumers and/or 
customers. Examples include: 

• Disclosing information to underwrite products; 

• Sharing information in order to administer benefits or help process claims; 

• Disclosing information to process premium payments; 

• Providing confirmation statements; and 

• Sharing information to recognize incentives or bonuses associated with insurance 
transactions. 

The final exception allows insurance entities to disclose financial information to outside service 
providers and to do joint marketing with other financial institutions without providing an opt out 
notice. Examples include: 

• Using an outside mail fulfillment business to send marketing letters to customers; 

• Using an outside call center to conduct telemarketing; and 

• Giving your customer list to another insurance company or bank in order to 
conduct joint marketing efforts. 

The Model GLBA Regulation includes special rules regulating disclosures of nonpublic personal 
health information. Insurance entities may not rely on the opt out rule to disclose nonpublic 
personal health information. Insurance entities must either have the individual’s authorization to 
disclose the information or the disclosure must be allowed under the regulation’s permitted 
exceptions. Generally, the regulation allows an insurance entity to disclose information in order 
to service a transaction that a consumer requests, to conduct insurance functions or to make 
disclosures that are in the “public good.” The permitted disclosures are similar to the disclosures 
described above for financial information, but the joint marketing exception is not available for 
disclosures of health information. The Model GLBA Regulation also expressly permits 
disclosure of health information without authorization for any activity that the HIPAA Privacy 
Rule permits without authorization. 

Although the Model GLBA Regulation permits certain disclosures of health information, 
insurance entities are not permitted to disclose health information to another financial institution 
in order for that financial institution to make credit decisions regarding the individual that is the 
subject of the information without the individual’s signed authorization. 


NAIC Insurance Information and Privacy Protection Model Act 
(“1982 Model Act”) 

In 1982 the NAIC adopted its first comprehensive privacy model. This model, the 1982 Model 
Act, provides that insurance entities shall not disclose any personal information (including 
medical record information) and privileged information about an individual collected or received 
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in connection with an insurance transaction unless the disclosure is authorized or specifically 
allowed under the Act. 

The 1982 Model Act specifically allows disclosures of information for insurance functions such 
as conducting audits, peer review, the sale or transfer of a block of business. The Act also 
permits insurance entities to disclose information for public good functions such as disclosures to 
insurance officials, in response to judicial orders, for fraud detection, etc. 

The Act also limits certain disclosures that are made for marketing purposes. An insurance 
entity may disclose information to an affiliate for marketing purposes so long as the marketing is 
for an insurance product or service and the affiliate agrees not to disclose the information for any 
other purpose or to an unaffiliated purposes. Insurance entities may also disclose personal 
information, excluding medical record information and privileged information, to any person for 
marketing purposes but only if the individual has been given the opportunity to indicate that he 
or she does not want personal information disclosed for marketing purposes and the individual 
has given no indication that he or she does not want the information disclosed. 

The 1982 Model Act does not permit insurance entities to disclose health information to another 
financial institution in order for that financial institution to make credit decisions regarding the 
individual that is the subject of the information without the individual’s signed authorization. 


State-Based Information or Event Specific Privacy Laws 

In addition to the comprehensive privacy laws discussed above, most states have enacted statutes 
that protect specific types of health information. Generally, these statutes regulate the uses 
and/or disclosures of “sensitive” information. The following are examples of the types of 
information where there is significant state regulation: domestic abuse; genetic infonnation; 
mental health information; reproductive health; sexually transmitted diseases; and substance 
abuse treatment. 

Condition specific laws further restrict the use and/or disclosures of protected health information. 
These laws limit insurance entities abilities to use the protected information. They also usually 
require an authorization or informed consent before the information may be disclosed. 

I am not aware of any state-specific privacy law that allows an insurance entity to disclose health 
information to a third party for the other party to make credit decisions. Even if such a law 
existed it would likely be preempted as contrary to the HIPAA Privacy Rule. 

As you can see from my comments, the health insurance industry has a long history of protecting 
the health and financial information in it possession. This history has its basis in law, industry 
practices and, most importantiy, the needs of the customer. 


FCRA Congressional Testimony 06l603.doc 



104 


Morris, Manning & Martin, LLP 

June 16, 2003 
Page 9 

Thank you for the opportunity to appear before the Subcommittee. The Health Insurance 
Association of America looks forward to working with the Subcommittee on this important 
issue. 


FCRA Congressional Testimony 061603.doc 



105 


JC 

Bashen 


EEO Solutions for the Proactive Employer 


June 17, 2003 


United States House of Representatives 
Subcommittee on Financial Institutions and Consumer Credit 
1006 Congress, 2129 Rayburn House Office Building 
Washington, DC 20515-6050 

To The Honorable Committee: 

Bashen Consulting extends its gratitude to the Subcommittee on Financial Institutions and 
Consumer Credit ("Committee") for the opportunity to testify regarding the Fair Credit 
Reporting Act ("FCRA") and investigations conducted by outside consultants and attorneys 
("consultants") regarding civil rights violations and employee misconduct. It is imperative to 
analyze the FCRA and civil rights laws collectively, rather than evaluating these complex 
issues only in the FCRA context. After such an examination, the Committee will undoubtedly 
conclude that investigations regarding civil rights violations and employee misconduct must 
be exempt from the FCRA’s required procedures. 

FCRA and the FTC 

It is acknowledged that the FCRA was enacted by Congress in response to the increasing 
public concerns about the rights of consumers and the expanding use of credit in our society. 
Consumer reports are completely discretionary, and have been historically designed to gamer 
personal financial, credit, and other general information to ascertain an applicant’s eligibility 
for employment. The FCRA, however, was not enacted to prevent, identify, and remedy 
workplace discrimination based on a consumer’s race, color, religion, sex, national origin, or 
any other protected categories. None of the Federal Trade Commission’s ("FTC") standard 
publicized literature references workplace discrimination or harassment. Nonetheless, the 
FTC Vail opinion letter has expanded the FCRA's purview to include claims of illegal 
discrimination and harassment in the workplace. As a result, civil rights laws that have 
protected employees (consumers) for 35 years are in jeopardy. 
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Consultants and Consumer Reporting Agencies 

Bashen Consulting is a small minority owned human resources consulting firm that 
investigates allegations of civil rights violations and employee misconduct. Bashen’s 
consultants have collectively investigated thousands of claims involving discrimination and 
employee misconduct, and not one credit report has ever been requested regarding any 
complainant, the alleged offender, or witness. Credit reports and credit histories are 
completely irrelevant to discrimination investigations. Civil rights and employee misconduct 
investigations examine specific allegations of illegal activities. Conversely, consumer reports 
and consumer investigative reports provide general information regarding a consumer’s 
“...character, general reputation, personal characteristics, mode of living...” for 
“...employment purposes...”. 

Civil Rights Laws 

The Civil Rights Act of 1964 and 1991, and similar state and municipal laws, impose an 
affirmative obligation on employers to investigate discrimination complaints. Civil rights 
investigations are not discretionary, in contrast to investigative consumer reports. Under civil 
rights laws, employers risk liability for the acts of employees, vendors, and customers who 
discriminate against employees on the basis of race, religion, color, national origin, ancestry, 
disability, medical condition, sex, or age. The Supreme Court affirmed the duty to 
investigate complaints of harassment, establishing an affirmative defense to liability only 
when employers exercise reasonable care to "correct promptly any... harassing behavior." 1 
Further, the Equal Employment Opportunity Commission ("EEOC") issued guidelines' that 
require an employer to investigate workplace harassment. 

Employers that wish to assert the affirmative defense afforded by Faragher and Ellerth must 
a.) exercise reasonable care to prevent and correct promptly any harassing behavior, and b.) 
must prove that the complaining employee failed to use any preventative or corrective 
opportunities provided by the employer or to avoid harm otherwise. Simply, an employer 
must have a widely disseminated anti-harassment policy and a complaint procedure to protect 
employees (consumers). Prompt, thorough, impartial, objective, confidential, and competent 


1 Faragher v. City of Boca Raton, 1 18 S. Ct. 2275 (1998); Burlington Industries, Inc. v. Ellerth, 
118 S. Ct. 2257 (1998). 

2 EEOC Policy Guidance on Sexual Harassment and EEOC Enforcement Guidance: Vicarious 
Liability for Unlawful Harassment by Supervisors (June 18, 1999). 
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investigations are imperative to any effective anti-discrimination policy and complaint 
procedure, and are required by law and EEOC regulations. For these reasons, many 
employers retain independent, expert consultants to ensure that proper investigations are 
conducted. 

Impact of Vail Letter/FCRA Procedures 

The FTC Vail opinion letter undermines the preventative and remedial essence of all civil 
rights laws by discouraging employees from complaining of harassment; by inhibiting 
employee witnesses from participating in harassment investigations; and by stifling witness 
candor. Competent discrimination investigations are the only available means to assess the 
allegations, issues, facts, and the appropriate remedial measures, when applicable. The 
opinion stated by the FTC in the Vail letter requires employers to gamer written authorization 
from alleged harassers before consultants could prepare investigative reports regarding the 
alleged civil rights violations. There is no such requirement under any of the discrimination 
laws, and such a requisite would be grossly inappropriate in a civil rights framework because 
the purported violator would have control over the investigation. The EEOC guidelines state, 
"The alleged harasser should not have supervisory authority over the individual who conducts 
the investigation and should not have any direct or indirect control over the investigation." 

Pursuant to the FTC Vail opinion letter and Section 604 of the FCRA, the employer is 
required to give the harasser a copy of the consultant's report if the allegations are 
substantiated and legally mandated remedial measures are implemented against the harasser. 
But first, the employer must wait five days before effecting remedial measures, which 
negates another civil rights law mandate: the remedial measures must be prompt or the 
employer faces greater consequences. Also, the harasser will still have contact with the 
complainant, which may create a volatile situation that could spark increased harassment, 
witness intimidation, threats, and/or violent reprisals. Giving confirmed harassers copies of 
consultants' reports will breach confidentiality, and the harassers will know who was 
interviewed and the content of their interviews. Civil rights laws and the EEOC regulations 
require confidentiality. 

Employees will be chilled from reporting civil rights violations if they know the alleged 
offender will receive a copy of the report. The EEOC guidelines state, "An employer should 
make clear to employees that it will protect the confidentiality of harassment allegations to 
the extent possible” and "information about the allegation of harassment should be shared 
only with those who need to know about it." Complainants and witnesses are usually hesitant 
to speak with any investigator, even when reasonable confidentiality is promised. But such a 
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promise is typically the only reason most witnesses agree to be interviewed. Breaching 
confidentiality to comply with the FCRA's procedures will decimate most attempts to curb 
workplace discrimination, and consumers will suffer the most. Imagine if the culprit is an 
officer, executive, supervisor, respected associate, co-worker they fear, or a peer or 
supervisor who has a vengeful or violent propensity. Employees will lose faith in the anti- 
harassment policy and the complaint procedure, and the harassment may continue unabated. 
According to the EEOC guidelines, a complainant may assert that he or she did not use an 
employer’s complaint procedure because he or she perceived it as ineffective. If proven, an 
employer may lose the affirmative defense. This is certainly inconsistent with the spirit and 
the letter of civil rights laws which are to prevent, identify, and redress workplace 
discrimination. 

Disclosing a discrimination investigative report to the harasser may also expose the employer 
to more retaliation claims. The complainant and witnesses adverse to the harasser may 
perceive that the harasser is treating them more harshly because the harasser is now able to 
identify them as his or her accusers. There must be an adverse employment action to sustain a 
viable retaliation claim, but the perception, not a genuine adverse employment action, may 
precipitate a retaliation claim which forces an employer to incur the time and expense to 
investigate and manage a complaint that could have been avoided. Civil rights investigative 
results must be limited to those individuals with the qualified privilege and the need to know. 
There is no FCRA mandate that the alleged harasser must maintain confidentiality once he or 
she secures a copy of an investigative report. Consequently, all employees who do not have 
the qualified privilege status should be precluded from reviewing any type of civil rights 
investigative report to assure reasonable confidentiality. This will mitigate future liabilities 
that are varied and potentially immense. 

EEOC Guidelines 

The EEOC dictates that employers should ensure that "prompt, thorough, and impartial" 
investigations are conducted when complaints are made. Impartial investigations are more 
readily attained by independent consultants who do not have personal or professional 
relationships with the complainants, witnesses, and the accused. Further, an independent 
consultant does not have a vested interest in a favorable outcome, and is often perceived as 
detached and neutral by the employees and the EEOC. Accurate investigative findings and 
conclusions afford greater protection to the consumer and the employer. Internal personnel 
typically have many other duties that are extraneous to the exhaustive discrimination 
complaint process, and they simply need a third party consultant to conduct investigations. 
Many companies do not have qualified internal human resources or legal personnel to 
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investigate alleged civil rights violations, and those that do are typically inundated with 
complaints. Outsourcing to competent consultants solves both problems. 

According to the EEOC guidelines, "The employer should ensure that the individual who 
conducts the investigation will objectively gather and consider the relevant facts." Objectivity 
is imperative to discrimination investigations, especially in harassment cases where witnesses 
must be asked proper questions and credibility must be weighed. Many employers and 
employees are concerned that internal personnel are too familiar with the employees and the 
complaint circumstances to be truly objective. This potential objectivity dilemma, actual or 
perceived by employees, the EEOC, federal and state court judges, should never be 
applicable to independent consultants who report all facts; good, bad, or innocuous. 

The EEOC states, "Whoever conducts the investigation should be well-trained in the skills 
that are required for interviewing witnesses and evaluating credibility." Many internal 
personnel may lack the necessary training and experience to adeptly investigate alleged civil 
rights violations or employee misconduct. Others are concerned about impartiality and 
objectivity. Very few from either category have the time to remain current on the continual 
changes in state and federal laws, which are essential to quality civil rights investigations. 
Consequently, employers routinely outsource this specialized task to qualified consultants 
who conduct timely, thorough, impartial, objective, confidential, and competent 
investigations. Complainants may not use a complaint procedure that they perceive as biased, 
subjective, and administered solely by interna! personnel. They may accordingly attempt to 
defeat the affirmative defense by establishing that the employer's reporting procedure is 
defective. "Negligent investigation" is becoming an increasingly popular allegation in 
discrimination litigation. It is much more difficult to prove if experienced, independent 
consultants conduct the investigations. 

Disputing Consumer Reports 

Section 61 1 of the FCRA provides the means for a consumer to dispute the details of a 
consumer report, which is understandable in the fair credit reporting context; this information 
is most often finite and should be accurately reported. A creditor must stop reporting 
inaccurate information after the consumer has successfully challenged the findings as 
inaccurate, and a consumer reporting agency must reinvestigate the consumer's claims. 
Again, this seems reasonable in the measurable world of financial and credit reporting. 
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Harassment investigations, conversely, are typically very convoluted at the inception. These 
investigations are commonly fraught with innuendo and recrimination, and perhaps importantly, the 
perceived or actual intent of the harasser and the complainant. Intent is further muddled by witness 
statements. Under Section 611 of the FCRA, an alleged harasser could dispute the complainant's 
allegations as inaccurate or false, which usually happens anyway in civil rights investigations. But the 
FCRA gives the harasser greater dispute latitude by empowering him or her to assert that it was not his 
intent to harass or discriminate against another employee. Thus, he or she will assert that the reported 
information is inaccurate or false. How, then, could the complainant or the employer controvert the 
alleged harasser's dispute when intent is the issue under consideration? This is further complicated by 
witnesses who give similar or vastly different accounts of the alleged conduct. In this situation, which 
is common in discrimination investigations, should the complainant and the employer's investigating 
consultant be forced to stop reporting the behavior as harassment pursuant to the FCRA? Should the 
consultant be forced to reinvestigate, pursuant to the FCRA, simply because the harasser denies that he 
or she intended to harass or discriminate? What if the conduct did not constitute a civil rights violation, 
but violated a company policy that mandates disciplinary action? Will the harasser be able to dispute 
the findings as inaccurate? Should the harasser be able to sue the employer for allegedly breaching any 
one of the aforementioned FCRA procedures? Civil rights laws and common sense compel the obvious 
response: "absolutely not." However, these are genuine issues made possible by the FTC's interpretation 
of the FCRA in the Vail letter. Most employees who are accused of discrimination will initially, and 
instinctively, deny the charges in part or in whole. Individuals who violate civil rights laws or company 
policies seldom confess. Intent is not finite; it is nuance wrapped in subtle shades of gray. A competent 
investigator must possess the skills, impartiality, objectivity, and experience to discern truth from 
fiction, and then reasonably determine if some type of personnel policy breach or legal violation has 
occurred. 

The FTC opinion would also compromise the various privileges afforded by the Federal Rules of Civil 
Procedure, and probably most state rules of civil procedure, such as attorney-client privilege, party 
communications, work-product, and reports that are prepared by consultants in anticipation of litigation. 
Discovery issues are decided during litigation by judges on a case-by-case basis. The FTC opinion 
would require employers to give the confirmed harasser a copy of the investigative report without filing 
a lawsuit, which would eliminate the benefit of judicial consideration that may preclude the production 
of the documents or portions of the documents. All of these safeguards and privileges are forfeited 
under the FTC’s production requirement. 

Internal Investigating Personnel/Outside Consultants 

Like internal investigating personnel, outside consultants who conduct civil rights and employee 
misconduct investigations should be exempt from the FCRA procedural requirements. Employers and 
employees alike want the most qualified, objective professionals conducting discrimination 
investigations to better protect all parties. Such investigations are more readily obtained by independent 
consultants who specialize in these types of investigations. It is reasonable to conclude that an 
emclovee (consumer) accused of discrimination would want a competent, neutral party to investigate 
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the allegations against him or her, rather than inexperienced internal personnel who may be perceived as 
having a vested interest in a particular outcome. 

Failure to Comply with FCRA Requirements 

Outside consultants who do not comply with the FCRA procedures are exposed to potential lawsuits by 
the subjects of their investigations. They may subsequently assert that they were improperly disciplined 
or terminated because they did not have the opportunity to respond to the investigative report that 
resulted in the adverse action. If the Vail opinion letter is adopted as policy by the courts, then the 
outside consultant could be accused of "willfully" violating the FCRA, thereby exposing the consultant 
to punitive damages. 

Consultants could chose not to "regularly" conduct discrimination investigations. Of course, this means 
consultants will not possess the cutting-edge expertise that is essential to analyze complex civil rights 
issues. This expertise is derived from knowledge of the ever-changing laws and investigative 
experience, and both are absolutely imperative to protect employees. The alternative is to allow less 
qualified internal personnel or consultants to conduct the investigations. 

The many consulting firms, law firms, partnerships, and other corporations that employ scores of 
professionals to conduct independent investigations could be forced out of business if the FTC's 
interpretation of the FCRA obligates companies to internalize employee misconduct investigations. 
This could result in the dissolution of an entire industry, and will have grave consequences for 
employees (consumers) whose discrimination claims will be controlled exclusively by internal 
personnel. Employers will also suffer if they are forced to internalize discrimination investigations; 
innumerable complaints will be mishandled and improperly investigated. Increased litigation and 
inflated money damages against employers under various federal and state civil rights laws will be the 
result. Decreased employee morale, diminished productivity, and further polarization between the races 
and sexes are indirect, long-term consequences of the FCRA's infringement upon civil rights laws. 

Conclusion 

There is absolutely no detriment to consumers when outside consultants investigate alleged civil rights 
violations in the workplace. Indeed, a qualified agent will provide the necessary expertise, knowledge, 
and experience to conduct thorough investigations that are required by law and the EEOC guidelines. 
Outside consultants also afford objectivity, impartiality, timeliness, and confidentiality. All consumers 
are entitled to fair and complete investigations conducted by competent professionals. Expert 
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consultants minimize the possibility of improper decisions that adversely affect consumers. The FTC's 
interpretation of the FCRA compromises this process, which, ironically, imperils the very consumers the 
FCRA was created to protect. Thus, civil rights and employee misconduct investigations must be 
exempt from the FCRA. We respectfully implore the Committee to amend the FCRA accordingly. 

Very truly yours. 


Janet Emerson Bashen 
President and CEO 


Margaret Plummer 
Director of Operations 
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I. INTRODUCTION 

Mr. Chairman and Members of the Subcommittee on Financial Institutions and Consumer 
Credit: Thank you for the opportunity to testify before you today on the role of the Fair Credit 
Reporting Act (FCRA) and the collection of medical information. 

My name is Joy Pritts. I am an assistant research professor at Georgetown University’s 
Health Policy Institute. My work at Georgetown focuses on state and federal laws that protect the 
privacy of medical information and how these laws interact. 

Today, a vast array of organizations and persons can collect and use medical information. 
They range from health care providers to insurers to banks to employers. There is no one federal 
law that protects the privacy of health information in the hands of these various stakeholders. In 
spite of repeated Congressional efforts, the use and disclosure of medical information continues 
to be governed by a patchwork of legislation and regulations that apply different standards to 
different sectors of the marketplace. 

The Fair Credit Reporting Act (FCRA) is but one piece of this patchwork. I have been 
asked to testify today on the Fair Credit Reporting Act, how it governs the collection of medical 
information and how it interacts with the privacy provisions of two other major federal laws: The 
Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act. 

In order to put these laws in perspective, I will first address how health care consumers 
believe their medical information should be treated. 

II. PUBLIC NEED AND DEMAND FOR CONFIDENTIAL TREATMENT OF 

MEDICAL INFORMATION 

The American public is very concerned about the confidentiality of their medical 
information. In a poll conducted by the Gallup Organization in 2000, 79 % of adults reported that 
it is very important to keep their medical records confidential. People are afraid that their 
medical records will fall into the wrong hands, leading to discrimination, loss of employment, 
loss of benefits, and unwanted exposure. 

Consumers are particularly concerned about banks and insurance companies having 
access to their medical information. The 2000 Gallup survey reported that an overwhelming 95% 
of those polled opposed allowing banks to see their medical records without their permission. 
Similarly, 82% opposed allowing insurance companies to see their medical records without their 
authorization. 

In many cases, consumers have acted on these concerns. A 1 999 survey by Princeton 
Research Associates for the California Healthcare Foundation found that one out of every six 
adults engages in some sort of privacy protective behavior to keep their medical information 
confidential. These consumers pay out of pocket for care that is covered by insurance, doctor- 
hop, provide inaccurate information, and avoid care altogether to protect themselves against their 
health information falling into the wrong hands. We can only imagine how these numbers would 
increase if health care consumers were fully aware of how their medical information could be 
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shared among various organizations. The privacy protective behavior that results from these 
concerns is bad both for the individual health care consumer and for public health. It can result in 
the inadequate care or undetected and untreated health conditions for the individual consumer. It 
can also result in inaccurate and incomplete patient data, which compromises the integrity of 
health research and public health initiatives. Thus, failing to adequately protect the 
confidentiality of health information can have widespread adverse consequences on both 
individual and public health. 

Yet, the federal laws in effect today do just that. They fail to cover all of those who 
collect and maintain medical information and they fail to impose adequate standards on those 
entities that they do cover. 

III. FCRA, GLBA AND HIPAA: A PATCHWORK OF PRIVACY PROTECTIONS 

Currently, the use and disclosure of medical information is governed by a patchwork of 
federal legislation and regulations. My testimony today will focus on the Fair Credit Reporting 
Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), how they govern the sharing of medical information 
among affiliates and how these acts interact. 

Three central issues evolve when these laws are reviewed. First, these laws do not 
adequately protect the privacy of medical information. Second, it is unclear to what extent states 
can remedy these gaps. Third, it is unclear which federal law prevails when their standards 
conflict. 

Fair Credit Reporting Act 

The FCRA does not adequately protect much medical information collected by banks, 
insurers, and other financial institutions. FCRA primarily restricts the use and dissemination of 
credit reports by banks and other financial institutions. A vast quantity of information escapes 
these restrictions, however, because it is falls outside of the definition of “credit report.” 

Financial institutions are free to distribute without limitation information about their own 
transactions and experiences with consumers. This transaction and experience information can, 
and often does, include medical information. 

Many financial institutions collect medical information in the course of conducting their 
business. For example, life insurers collect medical information in the application process. 
Property and casualty insurers may collect vast amounts of health information in the course of 
their claims process. Banks may collect health information in the course of selling annuities or 
credit insurance. Banks that issue credit cards may have the additional capacity to data mine 
credit card information, which can contain information on payments for health care services. 
Under FCRA, this transaction and experience information, which includes medical information, 
can be shared freely among affiliates without any permission from the consumer. 

Affiliates also may share financial information (other than transaction and experience 
information) so long as they give the consumer notice and the opportunity to opt out. This 
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regulatory scheme is based on two erroneous assumptions: That the notices provided will 
actually be readable by the general public; and that most consumers would give their permission 
if asked. An opt-out essentially presumes permission unless the consumer takes some affirmative 
action. The notices provided by financial institutions, however, are largely written in legalese 
and are incomprehensible to most consumers. Furthermore, polls have repeatedly shown that 
consumers want to be asked before their health information is shared with others. 

The irony of the situation is hard to ignore. The vast majority of Americans oppose 
allowing banks and insurers to see their medical information without their permission. Yet the 
law permits this very activity. 

The increase in the consolidation of the financial services market combined with the 
advances in technological capacity only threatens to exacerbate these threats to privacy. 

FCRA should be amended to afford greater protection to medical information. 

Consumers should be asked in advance, in plain language, whether they want their information 
shared in this fashion. Financial institutions should be prohibited from using medical information 
to provide credit. 

The banking industry asserts that it does not use not medical information for making 
credit determinations. But an April 1993 U.S. Department of Health and Human Services task 
force report cited the case of a banker who also served on his county’s health board. The banker 
apparently cross-referenced customer accounts with patient information and called due the 
mortgages of those suffering from cancer. 

Furthermore, the fact that the banking industry does not engage in certain behavior now 
is no guarantee that it will not do so in the future. Fifteen years ago, it was virtually unheard of 
for insurers to use consumer credit histories to determine insurance premiums or whether to 
cancel or renew an insurance policy. Now, it is becoming increasingly commonplace. Who can 
say whether using medical information for credit decisions will develop along the same lines? 

The time to prohibit such practices is before they become engrained as a standard 
business practice. As we have seen from the development of the Health Privacy Rules 
promulgated under HIPAA, once an information sharing practice becomes acceptable it is almost 
impossible to retract it. 

A further concern with FCRA is the manner in which it potentially affects state law. 

Some states have taken steps to impose protections on the sharing of financial information that 
go beyond those provided by FCRA. It is unclear whether these state protections would survive a 
legal challenge. FCRA preempts states from enacting laws “with respect to the exchange of 
information among persons affiliated by common ownership or common corporate control.” 
Some stakeholders interpret this provision narrowly and assert that FCRA only preempts state 
laws that govern consumer reports. Others, however, read this provision broadly and claim that it 
preempts states from enacting any law that governs the sharing of any information among 
affiliates. If this latter construction were accurate, a state would be prevented from requiring a 
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financial institution from obtaining consumers’ permission (opt in) before sharing medical 
information with affiliates. 

The simplest manner of resolving this ambiguity is to allow the preemption provision of 
FCRA to expire as scheduled on January 1, 2004. At a very minimum, FCRA should clarify that 
it does not preempt state laws that impose greater restrictions on the sharing of medical 
information. 

The inadequacies of the FCRA have not been resolved with subsequent legislation. To 
the contrary, the Gramm-Leach-Bliley Act continues the pattern of allowing medical information 
to be shared freely among affiliated entities. 

Gramm-Leach Bliley Act and the Fair Credit Reporting Act 

GLBA was enacted in 1999 to enhance competition by permitting the affiliation of banks, 
security firms, insurance companies, and other providers of financial services. The premise was 
to promote “one stop shopping” for financial services. 

Recognizing that the creation of integrated financial services firms would exacerbate 
threats to consumers’ privacy. Congress incorporated Title V into GLBA. Title V governs the 
privacy of personally identifiable financial information held by financial institutions. “Personally 
identifiable financial information” is defined broadly as including any information that is 
provided by a consumer to a financial institution to obtain a financial product or service or that a 
financial institution obtains about a consumer in connection with providing a financial product. 
Title V therefore governs any medical information that is provided to or obtained by a financial 
institution about an individual in connection with a financial service or product. 

The “protection” afforded by Title V is de minimus. Title V permits affiliates to freely 
share medical information without any permission from the individual. As for disclosures to non- 
affiliates, Title V only requires notice of the potential disclosure and an opportunity to opt-out. 
There is no opt out provision for affiliates in GLBA. Neither is there a right to opt out of sharing 
with non-affiliated third parties when there is a joint marketing relationship between the financial 
institution and the other party. 

As discussed above, many financial institutions such as life insurers, banks, and property 
and casualty insurers collect medical information in the course of conducting their business. 
Under GLBA these financial institutions can freely exchange this information. For example, 
under GLBA, a bank would be permitted to obtain and use medical information from a life 
insurer to determine eligibility or set the rate for a credit card or mortgage. This simply should 
not be permitted. 

Congress provided the potential for some relief for consumers by including in GLBA a 
provision that essentially provides that Title will not preempt state laws that offer greater 
protection. A few states have moved in this direction. 
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It remains unclear, however, how far states can go in controlling the flow of consumer 
information among affiliates. The confusion stems from the presence in Title V of two 
provisions that address the preemption issue in what maybe seen as a contrary fashion. Section 
507 provides that Title V does not preempt state laws that offer greater privacy protections than 
GLBA This provision would preserve a state law that requires an opt in for affiliates to share 
medical information. 

Section 506 of GLBA, however, essentially preserves FCRA. As discussed above, FCRA 
not only allows the sharing of transaction and experience data without the consumer’s 
authorization it also states from enacting laws “with respect to the exchange of information 
among persons affiliated by common ownership or common corporate control.” The question 
remains: Can states enact legislation that restricts the sharing of consumer information among 
affiliates? Or are states limited to enacting legislation that only pertains to sharing information 
among non-affiliated entities? Rather than wait for court interpretation, Congress has a duty to 
clarify this issue. 

As discussed below, the interpretation of FCRA and GLBA remains important due to the 
limited nature of HIPAA. 

Health Insurance Portability and Accountability Act 

The primary federal law governing the use and disclosure of medical information is the 
Health Privacy Rule promulgated under HIPAA by the United States Department of Health and 
Human Services. 1 While the HIPAA Privacy Rule is extensive, it is by no means comprehensive. 
Because of the limited authority delegated by Congress, the rule is applicable to only a core 
group of persons and organizations that hold health information. The HIPAA Privacy Rule 
directly applies only to: 

■ health care providers that transmit claims-type information electronically; 

■ health plans; and 

* health care clearinghouses. 

Thus, HIPAA does not apply to most of the entities covered by FCRA and GLBA. 
HIPAA does not apply to banks, or life insurers, or property and casualty insurers. There is some 
overlap in that all three laws do govern health plans. 

Health plans are financial institutions that clearly possess great quantities of medical 
information, both from applications for insurance and from claims for payment. HIPAA restricts 
the manner in which a health plans can use and disclose this health information. These 
restrictions vary widely depending on the purpose of the use or disclosure and the recipient of the 
health information. Since this hearing is concerned with affiliate-sharing, I will focus on the 
issue whether, under HIPAA, a health plan could share health information with an affiliate in 
order for the affiliate to use the health information for its business purposes. For example, could 
a health plan share health claims information with an affiliated bank so that the bank could use 
the information in determining eligibility or setting rates for a loan? 


1 45 C.F.R. Part 164. 
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In very general terms, HIPAA would require the health plan to obtain the individual’s 
prior authorization to disclose health information for the business purposes of the affiliate. To 
continue with the previous example, under HIPAA a health plan could not share health claims 
data with an affiliated bank for the bank to use in determining eligibility or setting rates for loans 
unless the health plan obtained the individual’s prior authorization. HIPAA uses what is 
essentially an “opt in” approach. 

HIPAA’s approach to this issue is clearly superior to that of FCRA and GLBA. It is 
important to remember, however, that HIPAA has a very limited applicability. For instance, 
HIPAA does not cover life insurers, automobile insurance carriers, workers’ compensation 
carriers, banks, property and casualty insurers and employers. All of these entities can collect 
medical information in the regular course of their business but fall outside the scope of HIPAA. 
They are simply not subject to HIPAA’s opt in requirements for affiliate sharing. While some of 
these entities are subject to FCRA and GLBA, both of these have less stringent standards for the 
sharing of medical information among affiliates. 

The area where HIPAA, FCRA and GLBA overlap is also problematic due to the lack of 
Congressional direction as to which law prevails. Health insurers, for instance, are subject to 
FCRA, GLBA an HIPAA. The HIPAA Privacy Regulations prohibit behavior that would be 
permitted under GLBA and FCRA. Furthermore, state laws that may be preserved under HIPAA, 
which does not preempt state laws that do not conflict with or are more stringent than the federal 
health privacy standards, could potentially be preempted under FCRA. For example, a state 
insurance law that requires an opt in to sharing health information with affiliates would be 
preserved under HIPAA. Under the strictest reading of the FCRA preemption provision (which is 
incorporated by GLBA), such a state law potentially could be prohibited. 

Congress has been silent with respect to how GLBA and FCRA interact with HIPAA. 
Applying traditional statutory construction rules to determine which statute prevails in this 
situation is problematic to say the least. Generally, later enacted, more specific statutes prevail, 
HIPAA was enacted in 1 996. While the HIPAA regulations are very specific, the statute itself is 
fairly general with respect to the privacy or information. The amendments to FCRA permitting 
experience and transaction sharing among affiliates and preempting state laws were enacted in 
1997 and are also fairly general. GLBA was enacted in 1 999, after the HIPAA statute but before 
the HIPAA regulations were promulgated. The HIPAA regulations are extremely detailed. But 
comparing detailed regulations to statutes is not the norm in conducting an implied repeal 
analysis. 

Congress should clarify that the most stringent standards to sharing health information 
apply when an entity is covered by more than one statute. 
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III. CONCLUSION 

In spite of some Congressional action, there remain significant gaps in the protection of 
the use and disclosure of medical information. Bringing all of those who use and disclose 
medical information within the bounds of federal law can help close these gaps. Additionally, 
Congress should require that consumers’ permission should be obtained before their medical 
information is shared with banks, insurers and others. Congress should also clarify that state law 
that provides a higher degree of protection of medical information is preserved. Enacting such 
protections would bring the laws in line with what health care consumers need and expect. 
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Good morning Mr. Chairman and distinguished members of the Subcommittee. 
Thank you for asking me to testify before you today. 

My name is Christopher Reynolds and I am a partner with the law firm of 
Morgan, Lewis and Bockius, which serves on the United States Chamber of Commerce 
Labor Relations Committee. I am here to testify on behalf of the Chamber about the Fair 
Credit Reporting Act’s (FCRA) effect on employee background checks and employer 
investigations into workplace misconduct. 

The Chamber has asked me to speak here today because, as part of my law 
practice, I frequently conduct sensitive and confidential investigations into potential 
workplace misconduct and advise clients with regard to legal issues related to those 
investigations and employee background checks, including issues involving FCRA. 

More generally, my law practice involves representing employers in discrimination and 
other employment-related litigation and counseling employers on a broad range of 
matters, including discrimination, equal employment opportunity, global workplace 
diversity, regulatory compliance and workforce restructuring. I also regularly speak on 
such matters and have authored a handbook entitled “The Prevention and Investigation of 
Sexual Harassment Claims,” as well as several white papers on related topics. In 
addition, I am a member of the American Bar Association’ s Labor Section Equal 
Employment Opportunity Committee, a former co-chair of that organization’s National 
Institute on Sexual Harassment, a member of the Legal Division of the Securities 
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Industry Association and a member of the Advisory Board of Regulatory DataCorp 
(RDC). 1 


My understanding is that today’s hearing is one of several scheduled to address 
various issues that may become part of the debate surrounding reauthorization of FCRA’s 
uniform standards provisions. Before addressing the issues specific to today’s hearing, 
the Chamber would like me to stress that reauthorization of these provisions is of vital 
importance to its members, and the entire economy. As you know, FCRA’s uniform 
standards fostered the growth of the national credit system we enjoy today. This credit 
system has helped facilitate the creation of our whole consumer credit economy, from the 
miracle of instant credit to the ubiquitous availability of credit cards. 

Failure to reauthorize the uniform standards could result in the collapse of this 
credit system that has become so vital to our economy. In its place, we would have 
multiple and conflicting state credit rules, creating a complex and costly web of 
regulation that would confuse and confound both consumers and lenders alike. This 
could limit the availability of instant credit, and make it more difficult and expensive for 
consumers to obtain credit for everything from home loans to student loans. 

Credit availability is also vital to small businesses, which often rely on access to 
credit to start new businesses or tied them over during lean times. Thus, a failure to 
reauthorize could not only jeopardize our consumer economy, but could also stymie the 
economy’s ability to create new jobs through small businesses. 

1 Launched July 1 6th, 2002, Regulatory DataCorp, Int'l. LLC ("RDC") was formed for the purpose of 
aggregating and leveraging public information and regulatory and industry expertise on a global basis to 
enable clients to better identify and manage legal, regulatory and reputational risks and comply with global 
regulatory responsibilities. RDC has created a worldwide clearinghouse of public information that 
conforms to international standards and regulations, and tools necessary for clients to conduct automated 
due diligence on entities, individuals and transactions on a wholesale, cost-effective and timely basis. 

RDC's services are designed to help clients identify and manage serious threats posed to global security by 
money laundering, fraud, corruption, terrorism, organized crime, and other suspicious financial activities. 
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Reauthorization, however, is not the Chamber’s only concern with FCRA. The 
issue before you today - the effect of FCRA on background checks and workplace 
investigations - also is of the utmost concern to Chamber members. 

Both background checks and workplace investigations play a key role in 
employer efforts to protect employees, customers, stockholders and the public at large 
from workplace violence, harassment, financial misdeeds and other dangerous and 
unlawful acts. While FCRA does not affect every background check or investigation, it 
does affect many. Specifically, when employers hire experienced and objective third 
parties to conduct background checks and workplace investigations, as is often practical 
or necessary for them to do, the background check, and arguably the workplace 
investigation, must comply with FCRA’s numerous notice and disclosure requirements. 
This is the case even though the check or investigation may have nothing to do with the 
individual’s credit or credit worthiness. 

Because FCRA affects background checks and investigations into workplace 
misconduct differently, I will address each issue separately. 

Background Checks 

Our primary concern with regard to background checks is not with existing law , 
but rather that, as part of the reauthorization effort, new provisions will be added to 
FCRA that could adversely affect employers’ ability to obtain reliable job-related 
background information on applicants or current employees. 

As I will explain in greater detail, background checks are an essential 
employment-screening tool and, increasingly, both the public and the government are 
demanding that employers expand use of background checks to enhance workplace 
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security. While the Chamber recognizes that - particularly at this time - it is crucial that 
security needs be balanced with individual rights, FCRA and other federal laws already 
provide protections to ensure privacy, accurate reporting and fair use of background 
checks. Consequently, the Chamber strongly urges you to resist adding provisions that 
would hamper employers from obtaining reliable, relevant, and job-related background 
information on applicants and employees. In fact, if you are to make any changes to 
FCRA that would impact background checks, we recommend it be one that removes 
impediments FCRA poses to obtaining background checks on contract workers. 

Background Checks and Workplace Security 
Employers use information gathered from background checks to help screen out 
individuals who may pose a danger to the workplace or who may be inappropriate for 
certain jobs. For example, an employer may not want to hire an individual who has 
multiple recent drunk driving convictions as a school bus driver, or a person with a 
history of embezzlement as a bookkeeper. 

A typical background check contains a review of an individual’s criminal history, 
and sometimes other information pertinent to employment, such as verification of 
educational or professional credentials or prior work history. For certain positions, such 
as one where the individual will be responsible for large sums of money, the background 
check may also include a review of the candidate’s credit history. 

Available evidence suggests that background checks are effective at revealing 
information relevant to employment eligibility that the employer may not find elsewhere. 
For example, Avert, Inc., an Internet-based screening company, found that at least 24 
percent of the 1.8 million applicants it screened in 2000 submitted information that was 
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misleading or negative and 6 percent of the background checks revealed a criminal 
history. 2 Similarly, in 1998, the Society for Human Resource Management (SHRM) 
released survey results showing that 45 percent of the employers that conducted 
background checks at one point or another found an applicant had lied about criminal 
records. 3 

In addition, at least with regard to criminal activity, statistics show that past 
criminal behavior can be predictive of future criminal behavior. In 2002 the Bureau of 
Justice Statistics reported on prisoners released in 1994. The report revealed that 81.4 
percent of the prisoners had convictions prior to the one for which they had just served 
time and, within three years of release, 46.9 percent were convicted of a new offense. 4 

Anecdotal evidence demonstrating the importance of background checks is also 
readily available. While there are many examples, the case of Ernesto Forero-Oijuela is 
particularly interesting. Authorities suspected that Forero-Oijuela was a high-level figure 
in one of the world’s largest drug cartels, and Maryland had charged him with the 1991 
murder of a Baltimore businessman. 5 He had eluded federal authorities, however, for six 
years, until he was fingerprinted and had a background check as part of his employment 
application at Merrill Lynch. 6 


2 Company Finds Plenty of Bogus Info in JobApps, Business & Legal Reports (June 12, 2001), retrieved 
from httD://hr.blr.com/eiert.cfm?id=362 . 

3 Survey is available at httD://www.shrm.org/survevs/default.asr>?Dage=available.htm . 

4 Patrick A. Langan and David Levin, Recidivism of Prisoners Released in 1994 , Bureau of Justice 
Statistics, Special Report at 2 (June 2002). 

s Michael James, Cartel trial could hit Md.; Drug ring suspect awaits extradition on murder charge; 1991 
victim from Bel Air; Columbian man 's job played a role in his New Jersey arrest, Baltimore Sun, (Jan. 29, 
2000 ). 

6 Id. 
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The Public and the Government Demand 
Increased Use of Background Checks 

Since the tragic events of September 11, growing concerns over workplace 
security have fueled an increased public and government demand for use of background 
checks as an employment-screening tool. In fact, last year, Harris Interactive reported 
that, according to a recent poll, 53 percent of employees want employers to conduct more 
detailed background checks. 7 Other studies have yielded similar results. 8 

As for the government, in this session alone. Congress has introduced at least 
twenty-one different bills requiring background checks for employees that perform 
specific jobs or work in a specific industry (a list of these bills is attached to this 
testimony). Some of these bills are driven by national security concerns, such as H.R. 
1407 which requires background checks for locksmiths working injudicial or executive 
branch facilities, or S. 157 which requires background checks for certain employees 
working in the chemical industry. Others, such as H.R. 439, which requires background 
checks for workers entering people’s homes, or H.R. 1 855, which requires background 
checks for certain health care providers, are aimed at protecting individuals from fraud, 
theft, violence and other crimes. 

The 107 th Congress was also active with regard to background check legislation, 
enacting several laws requiring backgrounds checks for certain airline, port and other 
transportation workers. 9 


7 Harris Interactive, Privacy and Security: The Mind and Mood of U.S. Employees and Managers (May 14, 
2002 ). 

8 Bureau of Justice Statistics, Public Altitudes Toward Uses of Criminal History Information 32 (July 2001) 
(NCJ 187663). 

9 Maritime Transportation Security Act of 2002, the USA PATRIOT Act and the Aviation Transportation 
Security Act. 
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Many states also have enacted their own laws requiring employers in childcare, or 
similar industries, to conduct background checks on prospective employees . 10 Even 
where there are no explicit requirements to conduct a background check, some states 
implicitly encourage employers to conduct background checks by permitting negligent 
hiring suits. In these suits, courts may hold an employer liable for an employee’s tortious 
actions, if the employer did not meet a certain standard of care in selecting the employee, 
including failing to conduct a background check or not conducting the background check 
thoroughly. 

It is clear from these legislative efforts that many in Congress, as well as those in 
the state legislative bodies and courts, endorse greater use of employee background 
checks as a tool for increasing safety and security. 

Current Regulation of Background Checks Balances Security Needs and 
Individual Rights 

FCRA 

FCRA defines “consumer report” as any written or oral communication by a 
consumer reporting agency (CRA) which bears on a person’s creditworthiness, character, 
general reputation, personal characteristics, or mode of living, if the communication is 
used or collected in order to determine eligibility for, among other things, employment." 
Under the statute, a CRA is any organization that regularly assembles consumer reports 
for a fee . 12 According to both the courts and the Federal Trade Commission (FTC), the 


10 See, e.g., Ala. CODE § 16-22A-5 

11 15U.S.C. § 1681a. 

12 Id. 
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agency that enforces FCRA, a criminal background check on prospective or existing 
employees constitutes a consumer report when it is conducted by a CRA. U 

Thus, if an employer hires an organization that regularly conducts background 
checks, such as a private investigator or a company like Choicepoint, the background 
check falls within FCRA’s purview. 

Background checks performed by the employer, or by outside organizations that 
are not CRAs, however, are not regulated by FCRA . 14 Also excluded from FCRA’s 
requirement are “any reports] containing information solely as to the transactions or 
experiences between the consumer and the person making the reports ].” 15 For example, 
if an employer uses an outside organization to conduct drug or psychological testing on a 
candidate, the test results are not a consumer report because the information is based on 
transactions or experiences between the candidate and the testing agency . 16 

Despite these exceptions, it appears most of the background checks performed 
every year are regulated by FCRA , 17 primarily because most employers find it more cost 
effective to outsource background checks to CRAs. 

For covered background checks, FCRA imposes certain requirements on the 
employer and the CRA to ensure privacy and accurate reporting. Specifically, the 
employer must notify the employee or applicant and obtain his or her consent before 


13 See Lewis v. Ohio Professional Electronic Network, 190 F. Supp. 2 1049 (S.D. Ohio 2002); Wiggens v. 
District Cablevision, Inc., 853 F. Supp. 484 (D.D.C. 1994); June 9, 1998 letter from William Haynes, 
Attorney, FTC Division of Credit Practices to Richard LeBlanc; see also Using Consumer Reports: What 
Employers Need to Know, Federal Trade Commission (Mar. 1999), retrieved from 
http://www.ftc.gov/bcp/conline/Dubs/biispubs/credempI.htm . 

14 15U.S.C. § 1681a(d)(2). 

15 Id. § 1681a(d)(2). 

16 See Hodge v. Texaco, Inc., 975 F.2d 1093 (5* Cir. 1992). 

17 Ann Davis, Firms Dig Deep Into Workers ’ Pasts Amid Post-Sept. 11 Security Anxiety, Wall Street 
Journal Online (Mar. 12, 2002) (Choicepoint (a CRA) reports it ran over 5 million background checks last 
year); Company Finds Plenty of Bogus Info in Job Apps, Business & Legal Reports (June 12, 2001), 
retrieved from http;//hr.blr.eom/elert.cfm?id=362 (Avert, Inc., an Internet-based CRA, ran over 1.8 million 
checks in 2000). 
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initiating the check. 18 The employer must also provide the applicant or employee with a 
copy of the background check and a summary of his or her rights under FCRA before 
taking an adverse employment action (i.e., termination, demotion, etc.) based on the 
check. 19 Following any adverse action, the employer must also provide the individual 
with the name, address, and phone number of the CRA (including any toll-free telephone 
number established by a national CRA) and a notice setting forth the individual's right to 
dispute the accuracy or completeness of any information in the report. 20 The CRA is 
obligated to reinvestigate the matter free of charge and record the status of the disputed 
information within 30 days, if the employee or applicant challenges the information in the 
check. 21 

FCRA also sets certain limits on the information that a CRA may report. 
Specifically, if the check is done on employees or applicants expected to earn less than 
$75,000 a year, FCRA prohibits the CRA from reporting information regarding arrest 
records, civil suits or judgments, or other adverse information from more than seven 
years prior to the check or according to the applicable statute of limitations, whichever is 
longer. 22 

Discrimination Laws 

Federal discrimination laws limit the extent to which an employer may rely on 
individuals’ criminal history when making employment decisions. Specifically, both the 
Equal Employment Opportunity Commission (EEOC) and federal courts have said that 


13 15 U.S.C. § 1681b(b){2). 

19 Id. § 1681b(b)(3). 

20 Id § 1681m(a). 

21 Id. § 1681 i, note there are exceptions to these rules for checks performed pursuant to national security 
and on individuals in working in transportation industry. See Id. § 1 68 1 b(b)(2)-(4) . 

12 Id.. § 1681c(a) & (b). 
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basing employment decisions on criminal history can have a disproportionate effect on 
select minorities, and therefore may run afoul of Title VII of the Civil Rights Act of 
1964. 23 To avoid problems with Title VII, the employer must show that an individual’s 
criminal history is “job related” and the employment action is “consistent with business 
necessity.” 

State discrimination laws are even more restrictive. Indeed, many prohibit 
employers from even asking candidates about arrest records and impose limitations on 
employer inquiries into convictions. 24 

In short, both FCRA and federal and state discrimination laws provide ample 
protection for individuals undergoing background checks and Congress should not be 
imposing any greater restrictions at a time where employers are facing increased public 
and governmental pressure to perform such checks. In fact, if you are to enact any 
changes to FCRA that affect background checks, we recommend you remedy the 
problems discussed below arising from FCRA’s application to background check on 
contract workers. 


23 42 U.S.C. § 2000e et seq.; see Equal Employment Opportunity Commission Policy Guidance on the 
Consideration of Arrest Records in Employment Decisions Under Title VII ( 1 990) (citing several cases 
supporting this proposition). 

24 See, e.g., Mass. Gen. Laws ch. 15 IB § 4(9)(ii). Given protections provided under Federal law(i.e. the 
use of criminal history must be “job related” and “consistent with business necessity”), the Chamber 
questions the need for these additional state restrictions, particularly to the extent that they prohibit 
employers from obtaining relevant and important information. A clear example of the problems these state 
laws can cause was recently reported on by the Washington Post. The article discusses a recent charge 
against a D.C. high school counselor for the rape of a student. Apparently, in 1996, prior to being hired by 
the school, the counselor had faced previous rape charges - this time of a 1 5 year old - but that trial had 
ended in a hung jury. The school knew of the 1996 charge at the time it hired the employee, but because 
the charge had not resulted in a conviction, D.C. law prohibited them from using the charge as a basis for 
refusing to hire the counselor. See Sylvia Moreno and Henri Cauvin, Counselor Faces Sex Charges, The 
Washington Post, (June 5, 2003). As this case demonstrates, and as the EEOC recognizes in their guidance 
on this issue, information about an employee’s arrests can be important to hiring and other employment 
decisions. See Equal Employment Opportunity Commission Policy Guidance on the Consideration of 
Arrest Records in Employment Decisions Under Title VII { 1990). 
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FCSA and Contract Workers 

Employers, particularly those in security sensitive and highly regulated industries, 
often need to ensure that a background check has been run on contract workers. 

However, employers are reluctant to run these checks themselves because doing so could 
result in the contractors being deemed employees for tax, labor law, or other purposes. 

Thus, employers rely on the contractor (the company supplying the contract 
workers) to run the checks. However, employers may need to see a copy of the 
background check in order to verify that the contract worker meets certain criteria. This 
can cause problems with FCRA, if the contractor regularly provides the background 
checks. In such circumstances, the contractor may be deemed a CRA and have to comply 
with FCRA’s many requirements. 

Again, if you do intend to make changes to FCRA beyond reauthorization, we 
urge that you address this problem. 

Investigations into Workplace Misconduct 

I am also here to discuss FCRA’s impact on employer investigations into 
workplace misconduct. 25 

Workplace investigations are a critical part of employer efforts to combat 
harassment, violence, theft, fraud and other threats to the workplace and, in some 
instances, national security. 

On April 5, 1999, the FTC issued a staff opinion, know as “the Vail letter,” which 
has made it significantly more difficult for employers to conduct investigations. The 

25 Because of the importance of this issue to the Chamber, not only am I testifying hear today, but the 
Chamber also testified on this issue in 2000 and has sent several letters to the FTC requesting it rescind the 
Vail letter. 
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letter was issued in response to an inquiry as to whether employers using “outside 
organizations” to conduct sexual harassment investigations need to comply with FCRA. 
The letter states that organizations that regularly investigate allegations of workplace 
sexual harassment, such as private investigators, consultants or law firms, are “consumer 
reporting agencies” under FCRA, and that if the employer hires such an organization to 
conduct an investigation, then both the employer and the CRA must comply with 
FCRA’s notice and disclosure requirements. While the Vail letter only addresses 
whether FCRA applies to sexual harassment investigations, a subsequent FTC opinion 
letter states that FCRA applies to any investigation of employee misconduct. 26 

FCRA’s notice and requirements include: 

1. notice to the employee of the investigation; 

2. the employee’s consent prior to the investigation; 

3. a description of the nature and scope of the proposed investigation, if the 
employee requests it; 

4. a release of a full, un-redacted investigative report to the employee; 

5. notice to the employee of his or her rights under FCRA prior to taking any 
adverse employment action; and 

6. that the CRA reinvestigate the matter free of charge and record the status of 
the disputed information within 30 days, if the individual disputes the 
accuracy or completeness of the information obtained in the investigation. 27 


The Vail Letter Deters Employers from Using Experienced 
Outside Investigators 


Because it is virtually impossible to conduct an investigation while complying 
with FCRA’s requirements, and because employers and investigators face unlimited 
liability, including punitive damages, for failure to comply with any of FCRA’s many 
technical requirements, the Vail letter effectively deters employers from using 


26 See August 31, 1999 letter from David Medine, FTC Associate Director Division of Financial Practices, 
to Susan Meisinger; see also Statement of Federal Trade Commission before the House Banking and 
Financial Services Committee, May 4, 2000. 

11 15U.S.C. § 1681 etseq. 
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experienced and objective outside organizations to investigate workplace misconduct . 28 
Yet, in many cases, an employer must do so in order to comply with obligations under 
other laws. Thus, the Vail letter often places employers in the untenable position of 
having to choose between two legal obligations. 

While the Chamber believes the FTC should rescind the Vail letter because it 
misconstrues FCRA and conflicts with Congressional intent, the agency has repeatedly 
refused to do so, claiming a legislative fix is needed. 

The Importance of Outside Investigators 
While an employer may avoid running afoul of Vail by performing the 
investigation itself, there are many instances where a company has no choice but to use 
an outside investigator. For example, the technical nature of the alleged misconduct may 
require an expert investigator, such as where the misconduct involves securities fraud. In 
other instances, such as corporate governance cases, the investigation may involve 
misconduct by a high-level official and outside objectivity is necessary. In other cases, 
the employer may simply lack the resources to conduct an in-house investigation. 

Even where outside investigators are not necessary, they may be preferred. 

Indeed, both the courts and administrative agencies have strongly encouraged employers 
to use experienced outside organizations to investigate suspected workplace violence, 
employment discrimination and harassment, securities violations, theft or other 
workplace misconduct . 29 As Assistant Attorney General James K. Robinson said in his 


28 See May 24, 2000, letter from Howard Price, U.S. Department of Commerce Contracting Officer, to Jane 
Juliano and June 14, 2000, letter from Jane Juliano to William M. Daley, Secretary of Commerce, both 
stating that the Department has stopped hiring outside contractors to conduct discrimination investigations. 
Several Chamber members have informed us they have also been hesitant to use outside investigators due 
to the Vail letter. 

29 See e.g, Burlington Industries Inc. v. EUerth, 1 1 8 S.Ct. 2257 (1998) and Faragher v. City of Boca Raton, 
118 S.Ct. 2275 (1998) (clearly delineating employers obligations under Title VII to investigate all 
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May 4, 2000 statement to this Committee, “[t]he Department [of Justice] and other 
agencies often strongly encourage companies, as part of their compliance programs, to 
retain outside counsel to conduct certain internal investigations, on the theory that an 
outsider is less subject to retaliation or intimidation by supervisors or co-workers and is 
less likely to be biased by concerns for the company’s business with existing or future 
customers.” 

The experience of the investigator can also be an issue. For example, according 
EEOC guidance, “whoever conducts the investigation should be well-trained in the skills 
that are required for interviewing witnesses and evaluating credibility.” 30 Few employers 
have the resources to keep on staff an individual who is well trained in interviewing 
witnesses and evaluating credibility. 

Yet, because of the Vail letter, employers cannot use outside investigators without 
risking potential unlimited liability under FCRA. 

Why It is Impossible to Conduct an Effective Investigation and Also Comply With 
FCRA’s Notice and Disclosure Requirements 

According to the Vail letter, FCRA’s disclosure requirements apply to any 
employment investigation that meets the Act’s definitions and is conducted for a fee by 
an “outside organization.” As a result, employers have to obtain consent from employees 
suspected of theft, discrimination, SEC violations and other improprieties before 
retaining an outside organization to conduct an investigation. 


employee complaints of sexual harassment); EEOC Enforcement Guidance: Vicarious Employer Liability 
for Unlawful Harassment by Supervisors, 6/21/99 ("An employer should set up a mechanism for a prompt, 
thorough, and impartial investigation into alleged harassment [and wjhoever conducts the investigation 
should be well-trained in the skills that are required for interviewing witnesses and evaluating credibility”). 
30 EEOC Enforcement Guidance: Vicarious Employer Liability for Unlawful Harassment by Supervisors, 
6/2 1/99 ("EEOC Guidance”). 
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The absurdity of this was recently highlighted in Rugg v. Hanac. In that case, a 
company's former executive director, relying on the Vail letter, sued the board of 
directors under FCRA for failing to provide her notice and obtain permission before 
hiring an outside organization to conduct an investigation which lead to her termination. 
The board of directors launched the investigation after the City of New York expressed 
concern with the company’s finances following a routine audit. While the court 
expressed reservations about the validity of the Vail letter interpretation, it nonetheless 
denied the employer's motion to dismiss and ordered more discovery on the issue of 
whether the outside investigator regularly conducted such investigations, and therefore is 
a CRA within the meaning of the statute. 31 

As this case demonstrates, Vail creates serious conflicts between a company’s 
responsibilities under FCRA and a board of director’s duties to meet its corporate 
governance obligations, such as those under the Sarbanes-Oxley Act of 2002. 32 
Obviously, the board of directors could not inform or obtain consent from the executive 
director before launching its investigation that might uncover her own financial 
improprieties. Nor could it ask the executive director to conduct an in-house 
investigation into such matters. 

This case, however, is only one example of the many conflicts between Vail and 
employers’ duties under other laws. Civil rights laws are another example. As then 
Chairwoman of the EEOC Ida Castro warned in 2000, “the FTC’s conclusion that the 
FCRA’s numerous and highly specific requirements control third-party discrimination 


31 See Rugg v. Hanac, 2002 WL 3 1 132883 (S.D.N.Y. 2002); see also Friend v. Ancillia Systems Inc, 68 F. 
Supp. 2d 969 (N.D. 111. 1999). 

32 Pub. L. No. 107-204. 
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investigations has serious unintended consequences for the enforcement of civil rights 
laws.” 33 

Simply put, employers cannot both adhere to FCRA’s disclosure and consent 
requirements and comply effectively with their obligations under federal anti- 
discrimination laws. 

In two 1998 cases, Burlington Industries, Inc. v. Ellerth, and Faragher v. City of 
Boca Raton, the Supreme Court delineated employers’ obligations under Title VII of the 
Civil Rights Act of 1964 34 to investigate thoroughly all employee complaints of sexual 
harassment 35 and to take reasonable care to prevent and promptly correct harassment . 36 
An employer who fails to meet these obligations can be found liable for a rogue 
supervisor’s actions and greatly increase the likelihood it will be assessed punitive 
damages. 37 

Following these decisions, the EEOC issued comprehensive policy guidance, 
explaining the circumstances under which employers can be held liable for unlawful 
harassment by supervisors. 38 The guidance, which does not limit its scope to “sexual 
harassment,” but covers all forms of harassment in the workplace, addresses the steps 
employers should take to prevent and correct harassment. It states that an anti- 
harassment policy and complaint procedure should contain, among other things, 


33 Statement of Ida L. Castro before the Committee on Banking and Financial Services, May 4, 2000. 

34 42 U.S.C. § 2000e el seq. 

35 Although Burlington and Faragher involved claims of sexual harassment, many courts have extended the 
holdings to allegations of race and other forms of discrimination. 

36 Burlington Industries, Inc. v. Ellerth, 118 S.Ct. 2257 (1998) and Faragher v. City of Boca Raton, 118 
S.Ct. 2275 (1998). These cases dealt with employer liability for a supervisor’s actions. Although the 
standard for assessing 1 lability a gainst a n e mployer for supervisor’s actions differs slightly from that of 
when harassment was done by co-workers, the end result is the same. Again, for the reasons mentioned 
above, an employer is best served by using experienced and objective outside investigators. 

37 See Kolstad v. American Dental Association , 527 U.S. 526 (1999). 

38 See , EEOC Enforcement Guidance: Vicarious Employer Liability for Unlawful Harassment by 
Supervisors, 6/21/99 (“EEOC Guidance”). 
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assurances that employees complaining of harassment and other witnesses will be 
protected against retaliation: the employer will protect the confidentiality of harassment 
complaints and records relating to such complaints to the extent possible; the employer 
will conduct a prompt, thorough, and impartial investigation; and the employer will take 
immediate and appropriate corrective action when it determines that harassment has 
occurred . 39 

Clearly, an employer cannot both comply with FCRA’s disclosure requirements 
and the guidelines. Indeed, an employer could be thwarted from performing the 
investigation altogether if the employee exercised his or her rights under FCRA to 
withhold consent. Also, advance notice of misconduct investigations could result in 
destruction of incriminating evidence. Other problems can arise due to FCRA’s 
disclosure requirements. For example, few witnesses would come forward if they knew 
their testimony would be readily released to the accused harasser. 

In short, an employer simply cannot meet its Title VII obligations while 
complying with FCRA. 

In addition to Title VII, Vail thwarts employers’ ability to comply with other 
numerous federal and state laws. For example, under the securities laws, broker-dealers 
have a statutory obligation to pursue allegations of wrongdoing by their employees and 
are monitored by self-regulating organizations. Among other things, broker-dealers 
conduct surprise internal audits and branch office compliance examinations to meet their 
statutory supervisory obligations. Often, outside consultants are used for these 
investigations. Moreover, in cases of suspected fraud, it is standard practice for issuers 
and broker-dealers to hire a law firm to conduct internal investigations. All the problems 
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discussed above with regard to discrimination investigations are equally applicable to 
securities investigations. 

Similarly, the laws regulating health and safety in the workplace require 
employers to provide a safe workplace and to investigate potential hazards including 
exposure to workplace violence. The Federal Drug-Free Workplace Act also imposes a 
duty on employers to investigate and eliminate drug use in the workplace. 

Indeed the list of required employment related investigations is seemingly 
endless. 

Vail Misconstrues FCRA 

It is also clear that Vail misconstrues FCRA. There is no evidence in FCRA’s 
text or legislative history that it was intended to apply to investigations of employee 
misconduct. The title of the statute - The Fair Credit Reporting Act - as well as the first 
few sentences of the Act are particularly telling on this point. Specifically, FCRA states 
that Congress found that “the banking system is dependent upon fair and accurate credit 
reporting. Inaccurate credit reports directly impair the efficiency of the banking system, 
and unfair credit reporting methods undermine the public confidence in the banking 
system .” 40 Clearly, the legislation was enacted to address the effect of inaccurate credit 
reports on the banking system and the financial well-being of consumers, rather than 
employee privacy rights in the face of investigations into specific acts of workplace 
misconduct. As Committee Chair Oxley and Subcommittee Chair Bachus aptly stated, 
“Congress did not craft the FCRA to apply to [employment investigations ].” 41 


40 15 U.S.C. Section 1681(a)(1). 

41 See also Hartman, 158 F.Supp.2d at 876 (“There is nothing in the FCRA or its history that indicates that 
Congress intended to abrogate the attorney-client or work-product privileges, as would be the effect of 
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In addition, most courts that have specifically considered the letter have either 
rejected it or seriously questioned its reasoning . 42 As one court put it, the letter “appears 
to have drawn a false analogy between employment decisions by a present or prospective 
employer based on information about a consumer’s general status (such as credit, 
criminal or family history and the like) and a decision by a present employer about the 
consumer’s particular workplace conduct (such as threats of violence ).” 43 

While the FTC has acknowledged the problem caused by the Vail letter , 44 it 
nonetheless has refused to reverse its position, claiming, even as recently as a few weeks 
ago, that a legislative fix is necessary . 45 


applying the FCRA’s requirements (which include disclosure of the report) to reports of the type at issue in 
this case”). 

42 See Rugg v. Hanac, 2002 WL 31 132883 (S.D.N.Y. 2002); Hartman v. Lyle Park District, 158 F.Supp.2d 
869* 876 (N.D. 111. 2001); Johnson v. Federal Express Corp., 147 F.Supp.2d 1268, 1272 (M.D. Ala. 2001); 
Robinson v. Time Warner, Inc., 187 F.R.D. 144; 1999 U.S. Dist. LEXIS 14304 at 14 n.2 (S.D.N.Y. 1999). 

43 Johnson , 147 F.Supp.2dat 1272. 

44 In the Statement of Federal Trade Commission Before the House Banking and Financial Services 
Committee Subcommittee on Financial Institutions and Consumer Credit (May 4, 2000), the Commission 
said: 

The Commission fully appreciates that practical problems may arise in applying all 
FCRA requirements to investigations by third parties of workplace misconduct. The 
Commission a grees t hat t here i s c onsiderable t ension b etween s ome o f t he a ffirmative 
requirements that . . . FCRA imposejs] on employers and certain public policy aims of 
statutes and regulations that* directly or indirectly, compel or encourage investigations of 
various forms of workplace misconduct. Most notably these include the FCRA 
requirement that an employer obtain an employee’s written authorization before 
preparing a consumer report, which arguably provides an antagonistic employee the 
opportunity to thwart a third-party investigation by withholding authorization. We 
understand this is especially troubling for small employers (who may not have the 
personnel or expertise to conduct an “in-house” investigation, and any employer who 
wishes to put a workplace investigation in the hands of an outside entity in order to foster 
a greater sense of impartiality. 

*** 

Additionally... [b]y alerting the employee to the investigation, it may permit a dishonest 
employee to destroy or alter evidence, seek to influence potential witnesses, and 
otherwise impair the reliability of the investigation. The requirements that the employee 
be provided a copy of the report and that, upon request, “all information” in the consumer 
reporting agency’s file on the employee be disclosed to the employee likewise pose 
difficulties for thorough investigations. They may have a “chilling effect” on the 
willingness of others (co-workers, witnesses) to participate in the investigation, for they 
fear retribution or other adverse consequences if their identity is divulged or if sufficient 
information is available to infer the individuals who gave evidence.” 
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Legislative Fix 

Rep. Pete Sessions (R-TX) has introduced H.R. 1543, the Civil Rights and Employee 
Investigation Clarification Act, which would exempt certain workplace misconduct 
investigations from FCRA’s notice and disclosure requirements. The bill would require, 
however, that the employer provide the subject of the investigation with a summary of the 
report, if it takes any adverse action based on the investigation. H.R. 1 543 has bi-partisan 
support and its cosponsors include members of this Subcommittee as well as other members 
of the full Committee, including Ranking Member Bamey Frank. 

While the Chamber favors a complete exemption, it realizes that it is often hard to put 
the genie back in the bottle, and that H.R. 1543 represents a concerted effort on the part of 
the cosponsors to reach a reasonable compromise between competing interests. We 
commend them for this effort and urge that this Subcommittee support H.R. 1543. 


45 See Prepared Statement of the Federal Trade Commission of the Fair Credit Reporting Act Before the 
Financial Institutions and Consumer Credit, at 17 n. 48 (June 4, 2003). 
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Bill# 

Title/Description 

Sponsor 

H.R/439 

Domestic Consumer Safety 
Act of 2003: To create a 
system of background 
checks for certain workers 
who enter people's homes, 
and for other purposes. 

Andrews (D-NJ) 

H.R. 1855 

To amend title XVIII of the 
Social Security Act to 
require home health 
agencies participating in the 
Medicare Program to 
conduct criminal 
background checks for all 
applicants for employment 
as patient care providers. 

Andrews (D-NJ) 

H.R. 364 

To amend title XIX of the 
Social Security Act to 
require criminal background 
checks on drivers providing 
Medicaid medical 
assistance transportation 
services. 

Hooley (D-OR) 

S. 769 

Private Security Officer 
Employment Authorization 
Act of 2003: To permit 
reviews of criminal records 
of applicants for private 
security officer 
employment. 

Levin (D-MI) 

S. 958 

To amend titles XVIII and 
XEX of the Social Security 
Act to prevent abuse of 
recipients of long-term care 
services under the Medicare 
and Medicaid programs. 

Kohl (D-WI) 

H.R. 2144 

To amend title 49, United 
States Code, to make 
technical corrections and 
improvements relating to 
aviation security, and for 
other purposes. 

Young (R-AK) 

H.R. 208 

To amend the Social 

Security Act with respect to 
the employment of persons 
with criminal backgrounds 
by long-term care providers. 

Thompson (D-CA) 
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S. 333 

To promote elder justice, 
and for other purposes. 

Breaux (D-LA) 

H.R. 18 

To amend title XVIII of the 
Social Security Act to 
establish additional 
provisions to combat waste, 
fraud, and abuse within the 
Medicare Program, and for 
other purposes. 

Biggert (R4L) 

S. 885 

Entitled 'Prosecutorial 
Remedies and Other Tools 
to end the Exploitation of 
Children Today Act of 

2003'. 

Kennedy (D-MA) 

S. 131 

To amend the Atomic 

Energy Act of 1954 and the 
Energy Reorganization Act 
of 1974 to strengthen 
security at sensitive nuclear 
facilities. 

Reid (D-NV) 

S, 228 

To amend title 18, United 
States Code, to limit the 
misuse of social security 
numbers, to establish 
criminal penalties for such 
misuse, and for other 
purposes. 

Feinstein (D-CA) . 

H.R. 637 

To amend title 18, United 
States Code, to limit the 
misuse of Social Security 
numbers, to establish 
criminal penalties for such 
misuse, and for other 
purposes. 

Sweeney (R-NY) 

S. 745 

To require the consent of an 
individual prior to the sale 
and marketing of such 
individual's personally 
identifiable information, 
and for other purposes. 

Feinstein (D-CA) 

S. 6 

To enhance homeland 
security and for other 
purposes. 

Daschle (D-SD) 

H.R. 1407 

To amend title 40, United 
States Code, to enhance 
security at executive and 
judicial branch facilities by 

Sessions (R-TX) 
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requiring locksmiths who 
provide locksmith services 
at such a facility to be 
credentialed, which 
includes undergoing a 
criminal history background 
check. 


S. 151 

To amend title 1 8, United 
States Code, with respect to 
the sexual exploitation of 
children. 

Hatch (R-UT) 

H.R. 2145 

To condition the minimum- 
wage-exempt status of 
organized camps under the 
Fair Labor Standards Act of 
1938 on compliance with 
certain safety standards, and 
for other purposes. 

Andrews (D-NJ) 

S. 157 

To help protect the public 
against the threat of 
chemical attacks. 

Corzine (D-NJ) 

S. 1043 

To increase security at 
nuclear power plants - 
Improve employee 
background checks under 
Section 149 of Atomic 

Energy Act of 1 954. 

lnhofe (R-OK) 

H.R. 2193 

To improve port security 
including background 
checks 

Ose (R-CA) 
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Mr. Chairman, members of the Committee, thank you for the opportunity to 
testify today regarding the role of the Fair Credit Reporting Act (FCRA) in 
employee background checks and the collection of medical information. My name 
is Marc Rotenberg and I am the executive director of the Electronic Privacy Information 
Center (EPIC), a public interest research organization in Washington. I have taught 
Information Privacy Law at Georgetown University Law Center since 1990 and I am the 
coauthor, with Professor Daniel J. Solove, of Information Privacy Law (Aspen 2003). 1 
have a long-standing interest in medical record privacy. I served on the Model State 
Public Health Privacy Law Project, directed by Professor Lawrence Gostin, and I wrote 
about the issue of preemption in the medical privacy field for the Journal of Health, Law 
and Public Policy in 1 995. 1 

Joining me this morning are Chris Hoofnagle and Anna Slomovic. Mr. Hoofnagie 
is Deputy Council of EPIC and concentrates on the Fair Credit Reporting Act. Ms. 
Slomovic, Ph.D., is the former Privacy Officer for a managed care organization. 

This morning I will provide an overview of the ongoing problem of privacy 
protection, the scope of the medical privacy rule, the need to protect medical information 
contained in credit reports. This issue should be of particular concern to this Committee 
because employers are increasingly using background checks on potential and current 
employees. Landlords are using credit reports to screen potential renters. Even health 
clubs are using credit reports as a means of evaluating applications for membership. 

The widespread use of credit reports makes it more important than ever to ensure 
that medical information is not released inappropriately without the knowledge and 
consent of the individuals and without the necessary obligations that companies that 
collect and use personal information take on. Current federal and state laws protect 
medical information in many contexts. However, the protections are now always 
sufficient, and the connections between various laws are not perfect. I would like to 
discuss some of the ways in which medical information has been misused in the past, 
ways in which federal protection of medical information varies under different regulatory 
regimes, and states actions on protecting health information. 


SCOPE OF PROBLEM 

Protecting the privacy of medical information continues to be a serious problem in 
the United States. The misuse of an individual’s medical data can result in real harms to 
that person. Privacy of medical information is undermined when an individual’s medical 
records are not properly safeguarded, misused, or produce adverse and unfair outcomes. 


1 Marc Rotenberg, Review: Institute of Medicine. Health Data in the Information Age: Use, 

Disclosure, and Privacy. Washington, DC: National Academy Press. Journal of Health, Law, and Public 
Policy (Spring 1995). 
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One of the places where medical privacy invasion is felt most acutely is in the 
workplace. Opening up medical records to employers puts individuals at risk of 
discrimination based upon their medical conditions. Employees may be harassed, denied 
medical insurance, fired, or subjected to any number of other negative consequences 
when their health records are disclosed to employers. 

Today doctors are taking extraordinary measures to safeguard patients' files. 
Some doctors are withholding medical information from health records to help patients 
keep their medical history private. A recent survey of 344 members of the Association of 
American Physicians and Surgeons revealed that 87 percent of members surveyed 
reported that their patients had requested that they exclude data from patients' medical 
records, and 78 percent of those surveyed complied. In addition, almost one-fifth 
admitted to making false entries on medical records. 2 

The absence of effective medical privacy protection adversely affects the delivery 
of medical care. Janlori Goldman, Director of the Health Privacy Project at Georgetown 
University, observed that a recent survey for the California Healthcare Foundation 
revealed that one out of six people “withdraws from full participation in their own health 
care” because of fear that health care information will be used without their permission. 3 
The Labor, Justice, and Health and Human Services Departments found that 63% of 
individuals surveyed for a report would decline genetic testing if employers or insurers 
could obtain the results." 

Still another way an individual’s medical information is misused and even 
exploited is when personal medical records are shared or sold for marketing purposes. 
Marketing provisions in medical privacy law permit “doctors, HMOs, and other 
healthcare groups to use personal patient data ... for marketing purposes.” 5 , Many on- 
line health sites collect information about visitors’ browsing, buying and clicking habits. 
According to Ms. Goldman, "The business model of many health sites is based on the 
collection, use, and resell of personal health data.” Many drug companies probably 
already know much more about us than we want them to. 

The challenges of medical record privacy are likely to increase. Some companies 
are not only collecting medical information, but also DNA sample. Genelex, a genetics 
company in Redmond, Washington, “has amassed 50,000 DNA samples, many gathered 
surreptitiously for paternity testing.” According to “CEO Howard Coleman[,] ‘Siblings 
have sent in mom’s discarded Kleenex and wax from her hearing aid to resolve the 
family rumors.’” However, whether or not the DNA is collected with an individual's 
knowledge, the data may be “stored without donors’ knowledge. Cell banked for one 


2 Dana Hawkins, Guarding medical secrets, at a cost , U.S. News & World Report, August 13, 2001 . 

3 Janlori Goldman and Zoe Hudson, “Virtually Exposed: Privacy And E-Health,” Health Affairs (California 
Healthcare Foundation, Nov./Dec. 2000). 

4 Joanne L. Huslead, Aimee Cunningham, & Janlori Goldman, Genetics and Privacy: A Patchwork of 
Protections , prepared for California Healthcare Foundation, Apr. 2002. 

5 Dana Hawkins, Medical privacy rules give patients and marketers access to health data , U.S. News & 
World Report, Jan. 29, 2001. 
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purpose, such as medical diagnosis, have been shared with or sold to other users for 
research or profit." 6 


II. LIMITATIONS ON CURRENT PROTECTIONS UNDER FEDERAL LAW 

The HIPAA Privacy Rule is designed to protect health information by giving 
individuals greater control over this information and by limiting uses and disclosures that 
can be made without explicit individual authorization. Unfortunately, there appear to be 
several areas in which intended protections fail as health information moves from entities 
that must comply with the Privacy Rule to ones that are not required to do so. I will now 
describe the gaps between the HIPAA Privacy Rule and requirements under FCRA. 

Definition of protected information is different in financial and health regulations 

Under the Privacy Rule, protected health information (PHI) is broadly defined. 
Individually identifiable information is protected when it relates to an individual’s past, 
present, or future physical or mental health; the provision of health care to an individual; 
or the past, present, or future payment for the provision of health care to an individual. 
The HIPAA definition of PHI includes information collected from an individual, as well 
as information created or received by a health care provider, health plan, employer, or 
health care clearinghouse. 1 

However, under FCRA, the term “medical information” is defined more narrowly. 
"Medical information'' means information or records obtained, with the consent of the 
individual to whom it relates, from licensed physicians or medical practitioners, hospitals, 
clinics, or other medical or medically related facilities. 8 

This definitional difference means that some information protected under HIPAA 
does not receive protection under FCRA simply because it is not obtained from one of the 
entities listed in the FCRA definition. 

Limitation on the types of entities covered by the Privacy Rule 

Congress limited the regulatory authority of the Department of Health and Human 
Services (HHS) to three specific types of entities, called “covered entities”: 

Health care providers, who electronically transmit health information in 
connection with standard transactions 
Health plans 

Health care clearinghouses 9 


6 Dana Hawkins, Keeping secrets: As DNA banks Quietly Multiply, Who is Guarding the Safe?, U.S. News 
World Report, Dec. 2, 2002. 

7 45 CFR, §160.102 and §164.501. 

8 15 USC §1681a(l). 

9 P.L. 104-191, SEC. 1172. (a) ("Applicability”). 
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Other entities may be subject to the Privacy Rule indirectly through business 
associate agreements if they are performing tasks “on behalf’ of “covered entities.” 
Examples of business associates include billing companies, law firms, accounting firms, 
and third-party administrators. Business associate agreements must be in place before 
PHI is released to these entities. These business associate agreements must stipulate that a 
business associate will not use or disclose PHI for any purposes not specified in the 
agreement. The basic principle is that business associates acting on behalf of “covered 
entities” are subject to the same rules as the “covered entities” themselves with respect to 
the activities they perform under business associate agreements. 

However, if an entity collects health information in a capacity other than “covered 
entity” or a business associate of a “covered entity,” it is not subject to the Privacy Rule. 
The Department of Health and Human Services acknowledges in the preamble to the 
December 2000 Privacy Rule that health information collected and used by life insurers, 
casualty/property insurers, auto insurers, worker’s compensation programs, employers 
and others is not subject to the protections of the Privacy Rule because these entities are 
outside the HHS statutory authority. It is, therefore, important that adequate protections 
for health information be provided in laws or regulations that govern these types of 
entities. 

Limitation on protections of health information received by employers 

HHS attempted to limit the use of health information by employers because such 
use could be particularly detrimental to individuals. In order to receive PHI from a 
“covered entity" employers generally need an individual’s signed authorization, explicitly 
stating by whom and for what purpose PHI is being obtained. In cases where an employer 
sponsors a group health plan, as defined under ERISA, the group health plan is not 
permitted to disclose protected health information to the employer plan sponsor without 
individual authorization until the plan receives a certification that plan documents have 
been amended to state that the sponsor agrees not to further use or disclose PHI except as 
permitted or required by law, and not to use health information for employment-related 
decisions. 10 

However, employers may receive health information from sources other than a 
“covered entity.” Health information received from such other sources is protected under 
the Privacy Rule. HHS stated in its preamble to the December 2000 Privacy Rule: 

With regard to employers, we do not have statutory authority to regulate 
them. Therefore, it is beyond the scope of this regulation to prohibit 
employers from requesting or obtaining protected health information. 

Covered entities may disclose protected health information about 
individuals who are members of an employer's workforce with an 
authorization. Nothing in the privacy regulation prohibits employers from 


10 45 CFR, Part 164 — Security and Privacy, 164.504, Uses and Disclosures, Organizational Requirements, 
(0(1) Standard: Requirements for group health plans. 
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obtaining that authorization as a condition of employment. We note, 

however, that employers must comply with other laws that govern them, 

such as nondiscrimination laws.” 

If an employer receives health information from a credit reporting agency or 
another source in the course of a background check on a current or prospective employee, 
the employer can use this health information in ways that are inconsistent with the 
Privacy Rule's intention to protect PHI from use or disclosure in employment-related 
actions without individual authorization. 

Limitation on protection resulting from permitted activities 

Another limitation on the protection of PHI that is of particular relevance here 
exists because the Privacy Rule disclosures to credit reporting agencies are part of 
payment-related activities of “covered entities.” In order to facilitate the smooth 
operation of the health care system and the delivery of high-quality health care, activities 
related to treatment, payment and health care operations of “covered entities” do not 
require individual authorization. Disclosures related to these types of activities are also 
not subject to Accounting of Disclosures, which individuals can request from “covered 
entities” in order to learn what disclosures have been made without authorization. 12 

The PHI that may be disclosed to credit reporting agencies under the Privacy Rule 
is limited. The definition of “Payment” includes the following: 

(vi) Disclosure to consumer reporting agencies of any of the following protected 
health information relating to collection of premiums or reimbursement: 

(A) Name and address; 

(B) Date of birth; 

(C) Social security number; 

(D) Payment history; 

(E) Account number; and 

(F) Name and address of the health care provider and/or health plan.' 5 

Although limited, such PHI can, under some circumstances, lead the recipient to 
infer what medical services have been provided to an individual. Additional information 
can be gained by learning the specialties of providers who made the report. 

As stated in the preamble to the December 2000 Privacy Rule, credit reporting 
agencies are not subject to the Privacy Rule unless they happen to be “covered entities,” 
After the consumer reporting agency receives PHI, the information is subject to whatever 


51 45 CFR, Parts 160 and 164 — Security and Privacy, Preamble, Section tit, Section-by-Section Discussion 
of Comments, Relationship to Other Federal Laws. 

”45 CFR, Part 164, § 164.528 (a)(l)(i). 

”45 CFR, Part 164, § 164.501. 
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protections are afforded to such information under the regulations governing credit 
reporting agencies. 14 

Alternative Approaches to Protecting Medical Information Indicate Important Role 
of States 

Entities that operate in multiple states look for a uniform regulatory environment 
in order to operate efficiently. For health insurers this includes the ability to consolidate 
service centers and other support operations in order to take advantage of efficiencies of 
scale and scope. As important as it is to improve efficiency of the health care system, 
however, federal preemption of state law is not the only way to obtain operational 
uniformity. State adoption of model laws and regulations is another way to create a 
uniform operating environment for organizations that operate in multiple states while 
providing states with the necessary flexibility to customize requirements for the needs of 
their citizens. 

The National Association of State Insurance Commissioners (NAIC) has 
promulgated the Privacy Model Act that requires “opt-in” for sensitive health 
information, which is broadly defined. The NAIC Model Regulations, promulgated after 
the passage of Gramm-Leach-Bliley Act, closely track the requirements of that law for 
financial information, but provide more stringent protections for the more sensitive health 
information. 

According to the NAIC, most states and the District of Columbia are adopting 
NAIC’s models. 

Twenty-four states planned to promulgate the NAIC Privacy of Consumer 
Financial and Health Information Model Regulation (the "NAIC model 
regulation") in its entirety, including the financial and health provisions. 

Nine states planned to promulgate only the financial privacy provisions of the 
NAIC model regulation. Several of these states already had health information 
protections in place or intended to follow up with health information protections 
in the future. 

Four states that previously adopted the 1982 NAIC Privacy Model Act planned to 
revise their current laws and/or regulations to be consistent with the NAIC model 
regulation’s notice and opt-out provisions for financial information; however, 
these states planned to keep the 1982 privacy model act’s opt-in requirement for 
health information privacy. The health privacy protections in the new model 
regulation also require opt-in before the disclosure of health information. 

Nine states planned to keep the 1982 model act in place. 13 


III. RECOMMENDATIONS 


14 45 CFR, Parts 160 and 164 — Security and Privacy, Preamble, Section III, Section-by-Section Discussion 
of Comments, Relationship to Other Federal Laws. 

15 NAIC press release, April 9, 2001 . 
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1) Require that Medical Information Inferred from Credit Reports be Subject to 
Strong Protections 

Congress established a strong standard for the inclusion of medical information in 
credit reports. Under the Act, medical information should only appear in the report when 
it is provided directly from a health provider and the patient has consented to the 
transfer. 16 

A December 2002 study by the Consumer Federation of America and the National 
Credit Reporting Association, and a 2003 report of the Federal Reserve highlighted an 
emerging problem for consumers: despite the protections in the FCRA, some types of 
medical conditions or treatment can be inferred from items on credit reports. 11 Both 
studies found that the names of medical creditors could indicate what categories of 
treatment a consumer received. The current protections of the Act do not cover this 
loophole, and thus we think it an opportune time for Congress to correct this problem. 

Furthermore, certain factors have exacerbated the problem caused by this 
loophole. The first is that medical collections commonly appear in credit reports, which 
exposes personal medical information to any person or business which requests a credit 
report. The Federal Reserve report found that 52 percent of collection actions are 
associated with medical bills. 18 Most of these collection items, however, are for small 
amounts. Sixty-six percent of medical collections are for amounts under $250. 19 

Second, medical organizations are beginning to use more aggressive collections 
techniques. 20 Mounting evidence suggests that health care providers are more vigorously 
pursing consumers because insurance companies frequently reject or dispute claims. 21 
Even if the insurer ultimately pays the claim, a collections item will remain on the 
consumer's report for seven years. To remove the collections item, the consumer must 
prove that it was a factual error. 

The consequences of this confluence of problems are serious. Individuals' privacy 
is not adequately protected under the law. Additionally, the Access Project found that 
providers treat patients with medical collections differently— these consumers are 


16 15 U.S.C. § 1681a(i). 

17 Credit Score Accuracy and Implications for Consumers , National Credit Reporting Association (NCRA) 
and the Consumer Federation of America (CFA), Dec. 2002, at 

http://www.ncrainc.org/documents/CFA%20NCRA%20Credit%20Score%20Report.pdf; Robert B. Avery, 
Paul S. Calem, & Glenn B. Canner, An Overview of Consumer Data and Credit Reporting , Federal Reserve 
Bulletin, Feb. 2003, at http://www.federalreserve.gov/pubs/bulletin/2003/02031ead.pdf. 

18 Id. 

19 Id. 

20 The Consequences of Medical Debt: Evidence From Three Communities, Access Project, Feb. 2003, at 
http://www.accessprojcct.org/downloads/med_consequences.pdf. 

21 Jay MacDonald, Medical Bills Can Make Your Credit Sick, Bankrate.com, Aug. 28, 2002; Eve 
Tahmincioglu, Is Your Health Insurance Hurting Your Credit, New York Times, May 12, 2002. 
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sometimes required to pay upfront for medical care, or sometimes are refused access to 
care, 22 


To address this problem, we urge Congress to amend the FCRA to obscure the 
names of creditors or collections agencies that may indicate the consumer's medical 
condition. We further recommend that Congress shorten the obsolescence periods for 
negative information when the collection and debt is insubstantial. Medical collections 
under $250 should not stay on a report for seven years; a shorter time is more 
appropriate. 

2) Allow the Preemption Loophole to Expire 

The FCRA, like many other privacy statutes, provides a federal baseline of 
protections for individuals. The FCRA is only partially preemptive, meaning that except 
in a few narrow circumstances, state legislatures may pass Saws to supplement the 
protections made by the FCRA. 

Congress should not extend the preemption loophole into the future. Consumers 
will lose important opportunities if preemption is extended— a continued federal ceiling 
will prevent states from creating additional needed protections. In our system of 
government, preemption should only be used in limited situations, and generally, 
preemption is not appropriate for consumer protection legislation. 

Our current credit reporting system has thrived under a federal baseline of 
protections that is supplemented by dozens of stronger state credit reporting laws. We do 
not operate in a credit reporting system with a single, uniform standard. The Federal 
FCRA itself grandfathered in several state laws, including California, Vermont, and 
Massachusetts, as well as settlements made between the attorneys general and the credit 
reporting agencies. 23 Additionally, the states have passed laws regulating the content and 
costs of reports, and the duties of users and furnishers. States have passed many stronger 
privacy laws in many sectors. 24 

Congress should not extend preemption in the FCRA because it will tie the hands 
of state legislators, and prevent them from performing in their traditional roles as 
“laboratories of democracy." Justice Brandeis once noted that, “It is one of the happy 
incidents of the federal system that a single courageous State may, if its citizens choose, 
serve as a laboratory; and try novel social and economic experiments without risk to the 
rest of the country." 25 


22 Id. at Fn. 9, supra ; see also Hugh F. Daty III, Leslie M. Oblak, Robert W. Seifert, & Kimberly 

Shell enberger. Symposium: Barriers to Access to Health Care, Case Western Reserve Univ. Health Matrix: 
J. of L.-Med. (Winter 2002). 

23 15U.S.C. § 1 68 1 1. 

24 See Appendix, The citations and summaries of state laws verified were as of May 2003 and were drawn 
from Robert Ellis Smith. Compilation of Stale and Federal Privacy Laws, Privacy Journal 2002. 

25 New State Ice Co. v. Liebmann , 285 U.S. 262, 3 1 1 (Brandeis, J-, dissenting). 
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State laws have not, and will not balkanize the credit system. Under the 
Supremacy Clause, state legislation that conflicts with, frustrates, or prevents compliance 
with federal credit reporting laws is automatically preempted. 26 

America’s prior experience with privacy legislation clearly favors federal laws 
that allow states to develop complementary protections. The Electronic Communications 
Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, 
the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone 
Consumer Protection Act, the Driver's Privacy Protection Act, and the Gramm-Leach- 
Bliley Act all allow states to craft protections that exceed federal law. 27 

Related areas of law allow states to formulate stronger protections. In areas such 
as freedom of information, civil rights law, and environmental regulation, states generally 
have the power to craft protections for their residents. Consumer protection, in general, 
is a state activity. Congress, despite giving the Federal Trade Commission (FTC) a 
consumer protection role, encourages states to create "mini-FTCs." As a result, all 50 
states have consumer protection law on deceptive practices. 

State legislators are rational actors that have accommodated the interests of 
consumers and businesses well. An entire appendix to the 1977 Report of the Privacy 
Protection Study Commission was devoted to "Privacy Law in the States." This portion 
of the report speaks strongly to the value of state privacy protection: 

Through constitutional, statutory, and common law protections, and 
through independent studies, the fifty States have taken steps to protect the 
privacy interests of individuals in many different types of records that 
others maintain about them. More often than not, actions taken by State 
legislatures, and by State courts, have been more innovative and far 
reaching than similar actions at the Federal level. . . the States have also 
shown an acute appreciation of the need to balance privacy interests 
against other social values. 

The report concludes: "The States have demonstrated that they can, and do, provide 
conditions for experiments that preserve and enhance the interests of the individual in our 
technological, information-dependent society." 

State consumer protection laws are more consumer friendly. State laws are more 
accessible to consumer litigants, and often offer longer statutes of limitations. State laws 
typically afford individuals private rights of action rather than remedies that require the 
action of a federal agency. They also enable aggressive attorney general action. State 
legislatures are better suited to tailor laws to communities. State legislatures are closer to 
their constituents, and are more likely to tailor a law to particular problems. 


26 Hines v. Davidowitz, 312 US 52 (1941). 

27 Respectively at 18 U.S.C. § 2510 et. seq., 12 U.S.C § 3401, 47 USC § 55!, !8 USC § 2710, 29 USC § 
2009, 47 USC § 227, 18 U.S.C. § 2721, and 1 5 U.S.C. § 6801. 
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Furthermore, information, more than any other product, can be tailored with 
technology in order to comply with disparate state requirements. In fact, the same 
companies lobbying for a uniform state standard for credit reporting already classify 
consumers into dozens of categories from "blue blood estates” to "hard scrabble" farmers. 
If technology has given these companies the ability to discriminate among individuals 
who live on the same block; it can also enable these companies to comply with differing 
state requirements on credit. 

3) Adopt Opt-In Framework for Affiliate Sharing 

The problems described above will be exacerbated under the current affiliate- 
sharing rules that make it too easy for personal information concerning consumers, 
including transactions that reveal medical services and condition, to be disclosed to 
others and to be incorporated into consumer profiles. 

We recommend that Congress adopt an opt-in framework to grant individuals 
greater control of their to medical, financial, and other information that may be shared 
among corporate affiliates. The complex corporate ownerships made possible by 
Gramm-Leach-Bliley pose new risks to individuals' privacy. Financial holdings 
companies may now amass a vast amount of information about their customers. Affiliates 
may include banks, insurance companies, securities firms, as well as institutions that 
significantly engage in financial activities, such as retailers that issue credit cards, auto 
dealerships that lease vehicles, and entities that appraise real estate. The law allows these 
companies to merge into large financial holding companies, and also merge their 
customers' data into one consolidated database. This data may include financial, medical 
and other sensitive information. 

Some financial holding companies have thousands of affiliates, making it 
exceedingly difficult for consumers to understand what companies may have access to 
their sensitive information. CitiGroup, Inc., for example, has over 2,700 corporate 
affiliates. 28 Similarly, Bank of America has almost 1500. 29 Given this vast scope of 
possible affiliate sharing, we believe that opt-in is the best approach to apportion rights 
between individuals and business interests in affiliate sharing. 

Having mentioned the scope of CitiGroup's affiliate network, it is important to note that 
Travelers Group, in its 1998 acquisition of Citicorp properties, agreed to keep its 
customer health and medical information confidential. 30 Travelers indicated that it would 
share medical information "only with the customer's consent or under very limited 


28 Financial Privacy and Consumer Protection Hearing Before the Senate Comm, on Banking, Housing and 
Urban Affairs , 107th Cong., Sept. 19, 2002 (statement of William H. Sorrell, Attorney General, State of 
Vermont). 

29 Id 

30 Federal Reserve Press Release (Sept. 23, 1998), at 

http://www.federalreserve.gov/boarddocs/press/BHC/1998/19980923/19980923.pdf. 
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circumstances.” 31 This agreement demonstrates that even large, complex financial 
services entities can accommodate opt-in. 


IV. ADDITIONAL ISSUES 

Mr. Chairman, I would like to bring to the Committee’s attention two additional 
issues that are not specifically related to medical record privacy, but that do implicate the 
work of the Committee as it considers the ongoing importance of the financial privacy 
laws. The first issue concerns the expanded use of background checks. The second relates 
to information obtained just this week by EPIC, under the Freedom of Information Act, 
concerning the compliance with the privacy provisions contained in the Financial 
Services Modernization Act. 

Employee background checks are being used more frequently as a result of the 
September 11, 2001 attacks. 

A simple conviction or arrest for a minor crime can result in someone not being 
able to obtain a job— even one that requires minimal responsibility or does not involve 
security sensitivity. For example, Eli Lily, in response to the September 1 1 , 2001 attacks, 
hired ChoicePoint to perform investigations on thousands of contract workers. 32 Lily's 
concern was reasonable enough — the company is the dominant producer of insulin in the 
world. But the result of the background checks was not reasonable. A pipe insulator at 
the company was fired for accidentally bouncing a $60 check. One person was dismissed 
because the records check revealed a fourteen-year-old misdemeanor marijuana 
possession charge. Another was dismissed for a crime that he did not commit. 

The FCRA addresses background checks by requiring employee consent, and by 
limiting the scope of the file for certain employees. A limited file (one that does not 
contain bankruptcies more than ten years old, other negative information more than seven 
years old, an other adverse information more than seven years old) is delivered to 
employers where the position pays less than $75, 000/year. This figure is too low in 
today's dollars. 

Congress should limit the contexts in which a report can be obtained for 
employment purposes. These should be limited to jobs where employees handle large 
sums of money, or are genuinely security-sensitive. It is clear now that the current 
standard— consent— is too low, as even menial jobs require background checks. The 
other provision that limits the content of the report if the job pays less than $75,000, is 
also inadequate. 

FTC Documents Obtained by EPIC under FOIA Indicate Ongoing Problems with 
Opt-out 


31 Id. at 84. 

3 * Ann Davis, Firms Dig Deep Into Workers' Pasls Amid Post-Sept. 11 Security Anxiety, Wall Street 
Journal, Mar. 12, 2002. 
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Documents obtained this week by EPIC from the Federal Trade Commission, 
under the Freedom of Information Act, show that a majority of the complaints, received 
by the Commission, concerning compliance by large New York-area banks, with laws 
that allow individuals to opt-out, are about Citibank. In fact, fifteen of the twenty total 
complaints were about alleged Gramm-Leach-Bliley privacy violations by Citibank. 

Of those fifteen complaints, nine concerned failed attempts to opt-out. In one 
complaint, a consumer was told that he was already taken off the list, but continued to 
receive unsolicited credit card offers. In another complaint, a consumer reported that 
“Citibank will not allow her to opt-out.” Many of the complaints claimed that Citibank 
provided no phone number to opt-out with their unsolicited credit-card offers, and one 
complaint claimed that despite the fact Citibank provided online services, it did not have 
an online form to opt-out. Finally, in a complaint by a husband and wife, each was told 
to write a letter requesting to be removed from Citibank’s credit card offer list. 
Nevertheless, despite their letters, they continued to receive the unsolicited offers three 
months later. 

These examples underscore the need for an opt-in. From this small sample, we 
can see that even where consumers take the time to write, call, or e-mail in order to opt- 
out, Citibank and other financial institutions fail to allow consumers to opt-out. Opt-out 
is simply not an effective means to safeguard consumer privacy. Opt-in is clearly 
preferable as the documents obtained from the FTC this week indicate. 


V. CONCLUSION 

Congress clearly intended to safeguard personal information through passage of 
the Fair Credit Reporting Act the legislation that led to adoption of the Health Insurance 
Portability and Accountability Act. But it is also clear that medical record privacy 
remains a critical concern in the United States today. EPIC urges the Committee to 
ensure that strong safeguards are established. Specifically, we support efforts to 
strengthen accuracy and access for credit reports. We further recommend proposal to give 
consumer control over pre-screening and limit affiliate sharing absent a dear opt-in 
provision. Most significantly, we urge the Committee to allow the stale preemption 
loophole to expire. Our Constitutional form of democracy, and the development of 
privacy law and consumer law during the latter part of the twentieth century, made clear 
that the states must have the freedom to protect the interests of consumers. As we enter 
the twenty-first century, it is clear that privacy protection is one of the great issues facing 
the nation and that the states have a central role to play. 


ABOUT EPIC 

The Electronic Privacy Information Center (EPIC) is a public interest research 
center in Washington, D.C. It was established in 1994 to focus public attention on 
emerging civil liberties issues and to protect privacy, the First Amendment, and to 
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promote the Public Voice in decisions concerning the future of the Internet. More 
information is available online at www.epic.org . 
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APPENDIX 

Examples of Privacy Safeguards in State Credit Reporting Laws 


Arrest, Conviction, and Bankruptcy Records. 

o California: CRAs may not report bankruptcies after ten years. Cal. Civil 
Code 1785.13. 

o Massachusetts: CRAs may not maintain arrest records more than seven 
years old. Mass. Gen. Laws Ann. Ch. 93 § 52. 
o New Mexico, Kansas, and Montana: Criminal data must be purged from 
the report after seven years, bankruptcies must be purged after 14. N.M. 
Stat. Ann. § 56-3-6; Kan. Stat. Ann. §§ 50-704; Mont. Code Ann. §§ 31-3- 
112 . 

Cost of Reports. 

o Georgia: Individuals are entitled to two free credit reports from each 
national credit reporting agency. Ga. Code Ann. § 10-1-393. 
o Colorado, Maryland, Massachusetts, New Jersey, and Vermont: 

Individuals are entitled to a free credit report once a year. Col. Rev. Stat. 
12-14.3-105; Md. Comm. Law Code Ann. § 14-1209; Mass. Gen. Laws 
Ann. Ch. 93 § 59; N.J. Stat. Ann. 56; 1 1-37; 9 Vt. Stat. Ann § 2480c. 
o Connecticut; Credit reports are $5. Conn. Gen. Stat. Ann. § 36a-699a. 
o Minnesota: Caps the cost of credit reports at $3. Minn. Stat. § 13C.01. 
o Maine: Caps the cost of credit reports at $2. 10 M.R.S. § 1316. 

Credit Scores. 

o California: CRAs must furnish credit scores to individuals for a reasonable 
fee. Cal. Civil Code 1785.15.1. 

o Colorado: CRAs must provide a credit score to the consumer if one is used 
when extending credit secured by a dwelling. Colo. Rev. Stat. § 12-14.3- 
104.3. 

o Connecticut: Consumers must receive report within five days of receipt of 
the request; report must include all information in the file, including any 
credit score. Conn. Gen. Stat. § 36a-696. 
o Idaho: Prohibits insurers from raising rates, denying coverage, or 
canceling a policy primarily based on a credit rating or credit history. 

Idaho Code §41-1843. 

Duties on Furnishers of Reports. 

o Massachusetts: Furnishers must follow reasonable procedures to ensure 
that the information reported to a CRA is accurate and complete, and 
furnishers may not provide information to a CRA if there is knowledge of 
or reasonable cause to believe such information is not accurate or 
complete. Mass. Gen. Laws Ann. Ch. 93 § 54A(a). 
o California: A person shall not furnish information on a specific transaction 
or experience to any consumer credit reporting agency if the person knows 
or should know the information is incomplete or inaccurate. Cal. Civil 
Code 1785.25(a). 
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Duties on Users of Reports. 

o California: Individuals may receive a free copy of their credit report when 
it is requested by an employer. Cal. Civil Code 1785.20.5. 

o Utah: Credit grantors must notify consumers when negative information is 
furnished to a CRA. Utah Code Ann. 70C-7-107. 

Investigative Consumer Reports. 

o Arizona: Sources of investigative consumer reports must be furnished to 
the individual upon request. Ariz. Stat. § 44- 1693(A)(4). 

o California: Investigative consumer reporting agencies must allow 

individuals to visually inspect files. Employers must furnish copies of the 
report to employees. Cal. Civil Code 1786. 

Notice to Consumers. 

o Colorado: CRAs must notify individuals where there have been eight 
inquiries on the report within one year or where adverse information is 
added to the report. Col. Rev. Stat. § 12-14.3-104. 

Sale of Personal Information: 

o California: Credit card issuers must give notice and an opportunity to opt- 
out when they sell customer information. Cal. Civil Code 1748.12 
(c)(3)(b). 

o Connecticut: Selling the names from credit card purchases is prohibited. 
Conn, Gen. Stat. Ann § 42-133gg. 

o Maryland: It is illegal to disclose ATM or credit card numbers Md. Crim. 
Code § 8-214. 

o Vermont: Credit reports can only be used for purposes consented to by the 
customer, and cannot be used for affiliate sharing without consent. Vt. 
Stat. Ann. § 2480e. 

Use of Medical Information. 

o Florida: An individual must be informed when genetic information was 
used to deny an opportunity. Fla. Stat. Ann. § 760.40(b). 
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Testimony of Edward L. Yingling 
On Behalf of the American Bankers Association 
Before the 

Subcommittee on Financial Institutions and Consumer Credit 
Of the Committee on Financial Services 
United States House of Representatives 
June 17, 2003 


Mr. Chairman, I am Edward Yingling, Executive Vice President of the American Bankers 
Association (ABA). ABA brings together all elements of the banking community to best represent 
the interests of this rapidly changing industry. Its membership - which includes community, 
regional, and money center banks and holding companies, as well as savings institutions, trust 
companies, and savings banks - makes ABA the largest banking trade association in the country. 

Mr. Chairman, we appreciate your holding hearings on the Fair Credit Reporting Act 
(FCRA) and the issue of protecting customer information, including medical information. There 
is no higher priority for the banking industry than the responsible use and protection of customer 
information. The banking industry has a long history of earning the trust of its customers and, in 
particular, of protecting their private financial information. Indeed, our extensive survey work 
shows that consumers trust banks more than virtually any other institution to protect their 
information. Before I address medical privacy specifically, I would like to set the context for this 
discussion by very briefly outlining the core philosophy of the banking industry regarding 
responsible use of information and the importance of preserving the FCRA for our economy. 

Thus, in my testimony today, there are three main themes: 

> The cornerstone of successful banking is preserving the trust of our customers and that 
only can be accomplished by the protection and responsible use of their financial 
information; 

> Preserving a voluntary, national credit reporting system is critical to the U S. economy; 
and 
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> Medical or health information should be private and should not be used in the credit 

granting process, except in those specific cases where it is directly relevant. In those cases, 
medical information should only be obtained with the consent of the customer. 

Let me briefly discuss each of these themes. 

Preserving Trust is the Cornerstone of Banking 

The industry values the trust customers have that banking institutions will protect their 
personal financial information. Not only is protecting privacy the right thing to do, the highly 
competitive financial market demands it. No bank can be successful without having a strong 
reputation for protecting the confidentiality of customer information. In fact, our survey work 
shows this reputation for trust is both strong among consumers and central to banking’s place in 
the competitive marketplace. 

We are now in the middle of a revolution in information technology that has dramatically 
changed the way information is gathered, used and stored. This rapidly changing technological 
landscape raises exciting new possibilities to provide customers with new and innovative products, 
to increase convenience, and to lower costs. At the same time, this changing technology raises 
important questions about the appropriate use of information and the need to make sure we meet 
the expectations of our customers that information be used responsibly. While technologies have 
changed, the importance of preserving customer trust and confidentiality of personal information 
has not - it remains a core value of the banking industry. 

Preserving a National Credit Reporting System is Critical to the U.S. Economy 

One of the keys to the strength and resiliency of the U.S. economy is the efficiency of the 
consumer credit markets. U.S. consumers have access to more credit, from a greater variety of 
sources, more quickly, and at lower cost than consumers anywhere else in the world. Over the last 
several years, particularly, the ability of consumers to use portions of their home equity for other 
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purposes has given them a level of financial flexibility that has helped consumer spending remain 
strong as other portions of the economy faltered. 

What makes this possible is a nationwide, seamless , and reliable system of credit 
reporting. Such a system would be impossible without the Fair Credit Reporting Act. For 
businesses - retailers, insurers, banks, employers, landlords and others - FCRA has helped them 
to make smart, immediate decisions that keep sales up, prices down and losses at a minimum. For 
consumers, it means they can walk into an auto dealership and drive off with a new car on the 
same day. They can move across the country and open a bank account without hassle. Picking up 
the phone or going online, homeowners can compare mortgage rates across the country and 
refinance quickly to take advantage of falling interest rates. Consumers can easily take advantage 
of varied credit card offers to obtain the best credit card deal for them. It allows them to shop 
around for the best rates on any loan commensurate with their credit history. By enabling 
complete and accurate credit histories, it has also helped expand credit access to millions of 
Americans who otherwise might not been able to get it. 

These findings are confirmed by a recent study by professors Michael E. Staten and Fred 
H. Cate entitled The Impact of National Credit Reporting Under the Fair Credit Reporting Act: 
The Risk of New Restrictions and State 
Regulation. 1 The authors demonstrate that the 
role of household credit in the U.S. economy, 
especially mortgage credit, has grown 
dramatically since the passage of FCRA (see 
Figure 1 ). They state: “Credit markets help 
translate optimism into real economic activity. In 
this way, smoothly functioning credit markets 
facilitate and extend economic expansion.” 


Figure 1 

U.S. Consumer and Mortgage Credit as a 
Percentage of Disposable Income (1960-2002) 



1 Michael E. Staten is the Distinguished Professor and Director of the Credit Research Center at the McDonough 
School of Business, Georgetown University and Fred H. Cate is the Distinguished Professor and Ira C. Batman 
Faculty Fellow at the Indiana University School of Law-Bloomington. 
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The authors also document the impact of credit reporting on traditionally underserved 
Americans. They state: “One of the more remarkable achievements attributable to the 
development of comprehensive credit 
reporting is the increased access to 
credit down the household income 
spectrum in the U.S. over the past 
three decades.” (Refer to Figure 2.) 

The intuition behind this is 
straightforward: detailed and reliable 
information on past payment behavior 
gives lenders confidence in assessing 
the creditworthiness of new borrowers 
and allows them to design products to meet the needs of previously underserved populations. And 
because the credit-reporting infrastructure helps to support broader access to credit, it can enhance 
asset and wealth accumulation - an effect particularly pronounced for younger households. 

Professors Cate and Staten extend their analyses to the implications of not continuing the 
preemptions under FCRA which enable a national standard. They conclude that: “Proposals to 
depart from a national reporting system by allowing states to intervene run the risk of upsetting the 
carefully balanced interests under FCRA, and diluting the benefits that flow from the existing 
system.” I have made copies of this study, sponsored by the Financial Services Coordinating 
Council of which ABA is a member, available to this committee. 

Simply put, the U.S. credit system works and is the envy of the world. Anything that 
increases the cost of access to information, or decreases its quality, would reduce the flow of credit 
in our economy and significantly impact retail sales and the housing markets. With $8 trillion in 
consumer credit outstanding, even the slightest change or uncertainty about the consistency and 
completeness of credit histories can have a huge economic consequence. This is why the 
reauthorization of FCRA, and in particular the pre-emption of state laws which assures a national, 
consistent and complete system, is so important. 


Change in the Proportion of U.S. Households Using 
Non-Mortgage Credit (1970 vs. 2001) 



Lowest 2nd Lowest Middle 2nd Highest Highest 
Income Quintile 
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Medical and Health Information In the Credit Granting Process - Limited Use 
and Only With Customer Permission 

It would seem obvious that medical information is at the top of the list of personal 
information about which consumers are concerned, and, indeed, our survey work confirms that. 
Throughout its history, the banking industry has protected the medical information of its customers 
whenever that information has been made available to banks. Therefore, our approach to medical 
information is straightforward. With respect to banks, medical information should only be used 
for the express purpose for which it is provided and should not be shared without the express 
consent of the customer. More specifically, concern has been expressed that lenders might use 
medical information obtained elsewhere in making a credit decision. ABA’s position is that such 
use of medical information in a credit decision obtained without the knowledge and consent of the 
borrower is just plain wrong. Let me explain further. 

The general approach is that medical and health information should not be used at all when 
making credit decisions. However, there are a limited number of instances where medical 
information is relevant - for example, in sole proprietorships or small businesses where the 
franchise value of the firm hinges on one or two key individuals. In such cases, insurance on the 
key individuals might be required. However, in those instances, the prospective borrower will 
know what information is required, and can expressly consent to its being obtained and used. 
Otherwise the lender should not obtain medical information. 

Thus, in general, medical and health information should not be sought during the credit- 
granting process. In those types of loans where it is directly relevant, the information should only 
be obtained with the consent of the potential borrower. Finally, any such information obtained 
should be kept strictly confidential by the lender. 

ABA has been a leader in helping banks assess every aspect of how they collect, use and 
distribute information - from who sees the information, to how it is stored and updated; from how it 
is used to benefit the customer, to how it is protected. For example, three years ago, we convened a 
select group of bankers to work on privacy issues. One of the many results of this task force was a 
Privacy Toolbox designed to help banks assess their information practices, comply with the 
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requirements of the Gramm-Leach-Bliley Act (GLB Act), train employees on handling sensitive 
information, and communicate to customers about how their information is protected. 

ABA’s Privacy Task Force went further in this toolbox than just the requirements of GLB 
Act to address both medical privacy and identify theft. Regarding medical privacy, the Task Force 
believed it important to reassure customers and the public at large that, to the extent banks possess 
medical information on a customer, it will be held sacred. This would include, for instance, 
information on payments made by a customer to a medical facility. Therefore, ABA’s task force set 
forward the following principle: 

Medical Information Will Not Be Shared 

Financial institutions recognize that, when consumers provide medical 
information for a specific purpose, they do not wish it to be used for other 
purposes, such as for marketing, or in making a credit decision. If a customer 
provides personal medical information to a financial institution, the financial 
institution will not disclose the information, unless authorized by the customer. 

In addition, we encouraged banks to either add language to their privacy policies - or create 
a separate privacy document - promising to keep medical information confidential. 

Conclusion 

Mr. Chairman, the banking industry is built on trust. Protecting customer information is 
absolutely necessary to maintaining that trust. How information is collected, used, and protected is 
an issue not just for banks; it is an issue of economic health for our nation. Efficient consumer 
credit markets are vital to a thriving economy, and efficiency demands a nationwide, seamless, and 
reliable system of credit reporting. Such a system would be impossible without the Fair Credit 
Reporting Act. Protecting medical and health information is extremely important and should only 
be used when directly relevant to the credit granting process, and then only with the permission of 
the potential borrower. 

Mr. Chairman, the ABA appreciates the opportunity to testify today, and I would be happy 
to answer any questions you, or the subcommittee members, may have. 
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FSCC 


Financial Services Coordinating Council 

Representing America's Diversified Financial Services Community 


This booklet was developed for the Financial Services Coordinating Council, 
a coalition of the American Bankers Association, the American Council of 
Life Insurers, the American Insurance Association, and the Securities 
Industry Association. 

The study analyzes the question of how well the national credit reporting 
system under the Fair Credit Reporting Act (FCRA) has served the public. 
The issue is very timely, as amendments to FCRA that preempt state law 
are set to expire on January 1, 2004. Those preemptions affect provisions of 
FCRA considered to be the most important for preserving a national and 
voluntary credit reporting system. The authors conclude that: “Proposals to 
depart from a national reporting system by allowing states to intervene run 
the risk of upsetting the carefully balanced interests under FCRA, and 
diluting the benefits that flow’ from the existing system.” 

The Council wishes to express its appreciation to the authors: Professors 
Michael E. Staten and Fred H. Cate. Mr. Staten is the Distinguished 
Professor and Director of the Credit Research Center at the McDonough 
School of Business at Georgetown University. Under his direction since 1990, 
the Center has gained a national reputation for analysis of the economics of 
consumer credit markets. Mr. Cate is a Distinguished Professor and Ira C. 
Batman Faculty Fellow at the Indiana University School of Law-Bloomington 
and senior policy advisor in the Hunton & Williams Center for Information 
Policy Leadership. He is an internationally recognized authority on privacy 
and information law. Both authors have testified before Congress on issues 
related to privacy and information, and both have published extensively in 
this field. 

For additional copies or information about the FSCC, please contact Phil 
Anderson, Executive Director, 202.624.2192 or visit www.fsccnews.com. 
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The Impact of National 
Credit Reporting 
Under the Fair Credit 
Reporting Act: 

The Risk of New Restrictions 
and State Regulation 


Michael E. Staten 5 


Fred H. Cate- 


1 Distinguished Professor and Director of the Credit Research Center at the McDonough School of Business, Georgetown 
University. 

^Distinguished professor and Ira C. Batman Faculty Fellow at the Indiana University School of Law-Bloomington, and senior 
policy advisor in the Hunton & Williams Center for Information Policy Leadership. 
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Executive Summary 

Since 197 1 the U.S. credit reporting system has 
operated under the Fair Credit Reporting Act 
(FCRA). In 1996 Congress amended the FCRA 
to address a variety of concerns related to the 
proper uses of credit report information, its 
accuracy, and consumer privacy. Those amend- 
ments reflected a careful balancing of these 
interests. A critical component of that balance 
was preemption of state laws affecting those 
provisions of the FCRA that were considered 
most important for preserving a voluntary, 
market driven credit reporting system that 
supported widespread access to credit. 

However, in the face of dramatic changes in 
technologies, commerce, and markets, Congress 
provided that preemption would expire on 
January 1, 2004. That compromise ensured that 
there would be both an opportunity and a need 
to assess the impact of imposing uniform 
national standards and to reevaluate the FCRA 
in an evolving national market. 

As the January 1, 2004 deadline nears, 
Congress is being asked to consider dropping 
federal preemption from the FCRA and allow- 
ing states to regulate the central elements of 
credit reporting. Abandoning uniform national 
standards would mark a radical change in a 
credit reporting system that has evolved almost 


entirely without state or local regulation of its 
core functions. Such a step puts at risk the 
benefits that flow from the existing national 
reporting system — the foundation for the most 
dynamic consumer and mortgage credit 
markets in the world. 

Given the magnitude of this threat, 
preemption should not be abandoned without 
first assessing (1) how well the current national 
credit reporting system under the federal FCRA 
has served the American public and economy, 
and (2) the risks to consumers and commerce of 
adopting significant new restrictions on credit 
reporting or of subjecting that national system 
to state and local regulation. 

All of the relevant economic analyses, 
case studies, policymaker statements, and 
government and industry reports provide a 
remarkably consistent response to these two 
inquiries. They demonstrate that the voluntary 
national credit reporting system that has 
evolved under FCRA has generated extraordi- 
nary benefits for individual consumers and the 
nation as a whole. National credit reporting has 
helped to make the United States the world 
leader in the development of competitive 
consumer and mortgage credit markets. 
Proposals to depart from a national reporting 
system by allowing states to intervene run the 
risk of upsetting the carefully balanced 
interests under FCRA, and jeopardizing the 
benefits that flow from the existing system. 


Financial Services Coordinating Council 

itepcespnvtsg Amends's Divers.' Tied FiearsciTS; services Corfimurwy 


173 


Benefits that Flow 
from the Existing 
National Credit 
Reporting System 

The U.S. national credit reporting system is 
unique in achieving a remarkable combination 
of (a) widespread access to credit across the age 
and income spectrum, (b) relatively low interest 
rates on secured loans (e.g., home mortgages, 
automobiles), (c) exceptionally broad access to 
open end, unsecured lines of credit (e.g., bank 
card products), and (d) relatively low default 
rates across all types of consumer loans. 

The following categories summarize the 
extraordinary benefits that consumers and the 
US. economy enjoy as a result of the national 
credit reporting system supported by the FORA: 


1 . Consumer Access to Credit 

Broader Credit Access Across the U.S. Population 
Consumer and mortgage credit underpins much 
of the consumer spending that accounts for over 
two-thirds of U.S. gross domestic product and 
has been a key driver of U.S. economic growth. 
Mortgage credit financed the vast majority of 
the 516,000 single-family homes that U.S. 
consumers bought every month, on average, 
during 2001 — accounting for about 14 percent 
of U.S. GDP. Consumer credit financed the vast 
majority of the 1.4 million cars, SUVs, and light 
trucks that U.S. consumers purchased or leased 
every month. 


In 2001, 75 percent of U.S. households 
participated in the consumer and mortgage 
credit markets. Sixty-eight percent of U.S. 
households owned their own homes, and nearly 
two-thirds of these homeowners had some type 
of mortgage loan. Nearly a third of all 
households had automobile loans or leases. 
About 73 percent of all households owned at 
least one general purpose credit card (e.g.. Visa, 
MasterCard, Discover, American Express) in 
2001. The average U.S. consumer-borrower had 
eleven open accounts (seven credit cards, four 
installment or real-estate-secured loans). 

Credit market participation is remarkably wide 
and deep. 




The Impact of National Credit Reporting Under the Fair Credit Reporting Act 



Consumer Credit and the U.S. Economy 
U.S. credit markets facilitate and extend 
economic expansion by reducing liquidity 
constraints. Consumer credit allows households 
to transfer consumption from periods where 
household income is high to periods where 
income is low. U.S. credit markets are the most 
efficient in the world at allowing households to 
smooth their consumption patterns over time, 
rather than postpone major purchases until 
incomes and asset holdings build to sufficient 
levels. 

Credit provides a “bridge” to tens of millions 
of households that can sustain them through 
temporary disruptions and declines in incomes, 
thus helping to neutralize the macroeconomic 
drag associated with these events, lowering the 
risk of outright recession, and reducing the 
magnitude of downturns when they do occur. 

The importance of consumer credit markets 
to the strength and resiliency of the U.S. 
economy is a direct consequence of the credit 
reporting system. A recent study of 43 
countries found that total bank lending to the 
private sector (scaled by country GNP) is larger 
in countries where information sharing is more 
solidly established and intense. 



Impact of Credit Reporting on Traditionally 
Underserved Americans 

Equally remarkable is the increased access to 
credit across the income spectrum over the past 
three decades. Figure 3 displays the change in 
the percentage of U.S. households that used 
non-mortgage credit between 1970 (the year 
before the FCRA took effect) and 2001. The 
largest gains were in the lower end of the 
income spectrum. The proportion of households 
in the lowest fifth of the income distribution 
who had access to consumer credit jumped by 
nearly 70 percent over the period. By contrast, 
growth in the highest and second highest 
income quintiles averaged less than 5 percent. 
Accessible credit information “democratizes” 
financial opportunity. 


Table 1 . Home Ownership Rates Among Younger Borrowers 


Country 

% Home Ownership Among 
Population Aged 26-35 

Average % Downpayment, 

1991-1995 

United States 

49.3 

11 

United Kingdom 

63.8 

5 

Spain 

40.0 

20 

France 

35.0 

20 

Italy 

23.2 

40 

Germany 

18.5 

20 

Source; Chiuri and Jappelli, 2002. 
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The U.S. credit reporting system helps fami- 
lies break the stubborn cycle of low economic 
status from generation to generation. Credit is 
essential to home ownership, which is one of 
the most important steps in the accumulation 
of wealth. Home ownership rates among 
younger households vary substantially across 
developed countries, due in large part to differ- 
ences in credit reporting. Lenders in the United 
States, Canada, and the United Kingdom can 
require less collateral (i.e., a lower down 
payment) as a hedge against the likelihood of 
default because borrower credit histories are 
more complete. These countries are among the 
leaders in terms of home ownership among 
younger households. In contrast, in countries 
where the exchange of credit history data is far 
more limited (e.g., France, Italy and Spain) 
down payments are higher and the degree of 
home ownership among younger households is 
significantly lower. 



These benefits of credit reporting are 
especially great for minorities. Between 1989 
and 1998, home ownership rates rose more 
sharply for African Americans, Hispanics, and 
lower-income families than for other groups, 
but only a small part of these gains were 


attributable to improvements in their incomes 
or economic circumstances. Innovation among 
mortgage lenders in terms of risk measurement 
and the ability to develop and tailor new prod- 
ucts for specific population segments accounted 
for much of the gains, all of which depended 
upon a robust credit reporting system. 


2. More Accurate Decision-Making 

Because credit reports are compiled over time, 
from a wide range of sources, and updated 
daily, creditors (as well as insurers, employers 
and other businesses with a permissible pur- 
pose) can see a far more complete picture of 
present and past credit behavior. These data, 
reflecting a borrower's own past payment histo- 
ry, replace face-to-face attempts to evaluate 
character and capacity (common a generation 
ago) with a less invasive, more accurate assess- 
ment based on documented prior behavior. 
Lending decisions are faster and more equi- 
table. There is less opportunity for the loan 
decision to be influenced by factors other than 
how the borrower has handled credit in the 
past, and standardized credit report data make 
it easier for regulators to verify compliance 
with antidiscrimination and other lending laws. 

Credit reporting thus improves the 
performance of the entire market, lowering the 
costs of making credit available and increasing 
the number of Americans who qualify for credit. 
According to one recent study, if creditors did 
not have access to the full range of credit 
information currently available in the United 
States, they would extend new credit to 11,000 
fewer customers for every 100,000 applicants. 

As Federal Reserve Board Chairman Alan 


tv The Impact of National Credit Reporting Under the Fair Credit Reporting Act 


176 


Greenspan has noted, access to personal credit 
history data makes individual financial institu- 
tions w more creditworthy and efficient,” and the 
U.S. financial services sector “ more transparent 
and stronger in general” 


Figure 5 

Percent of U.S. Households with Any Payment Past 
Due 60 Days or More 



Family Income Percentile 


Furthermore, credit reports (and the scoring 
models they make possible) allow lenders to be 
proactive in preventing debt problems, even for 
existing accountholders. Credit report data 
allow creditors to prevent overextension. 
Consequently, U.S. delinquency rates are 
remarkably low. In the fourth quarter of 2002 
only 3.9 percent of all mortgage borrowers in 
the United States were delinquent 30 days or 
more. Only 4.6 percent of all credit card borrow- 
ers were delinquent 30 days or more on their 
accounts. Sixty percent of U.S. borrowers never 
had a payment delinquent 30 days or more in 
the previous seven years. 

Moreover, the share of household income 
devoted to debt service is remarkably similar 
across all income groups, suggesting that 
previously underserved groups are not 
generally taking on more new credit than they 
can handle. As a group, households in the lower 
two-fifths of the income distribution do not 
carry greater debt burdens than higher income 
households, and their burden has not signifi- 


cantly increased over the past decade. 
Similarly, there is no evidence that households 
in the lowest two-fifths of the income distribu- 
tion experienced any greater increase in delin- 
quency (in percentage terms) over the past 
decade than households in the other groupings. 
Robust, national credit reporting has thus not 
only made it possible for more people to have 
access to more credit, but to do so without 
increased defaults. 


Figure 6 

U.S. Bankcard Ownership by Household Income 



Lowes) 2no Lowest Middle 2nd Highest Highest 
income Quintile 


3. Enhanced Competition 

Because it dramatically reduces the cost of 
assessing the risk of new borrowers, credit 
report information encourages entry by new 
lenders and greater competition. Access to 
national credit report data and the ability to 
use them to “prescreen” applicants, for example, 
has transformed the credit card market by 
facilitating efficient national competition. In the 
face of that competition, consumer choice has 
increased dramatically; services such as no-fee 
cards and cards offering frequent traveler miles 
or rebates are now commonplace. Credit card 
rates have plummeted, relative to the late 
1980s. The number of Americans with access to 
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credit cards has soared. The percentage of U.S. 
households owning at least one general-purpose 
bank credit card has increased from 43 percent 
in 1983 to 73 percent by 2001. Overall, 30 mil- 
lion more U.S. households had a bankcard in 
2001 than in 1983. 

Laws that inhibit the assembly of compre- 
hensive credit reports act as a barrier to 
competition by giving the dominant incumbent 
lender a monopoly over the information it 
possesses about its customers, and denying new 
market entrants the information needed to 
provide and market competitive services. In 
Europe, where comprehensive credit reports are 
not readily available, financial sendees are 
provided by far fewer institutions — one-tenth 
the number that serve U.S. customers. In 
France, the European Union country with 
some of the strictest financial privacy laws, 
seven banks control more than 96 percent of 
banking assets. The absence of comprehensive 
credit histories restrains competition and 
makes it easier to hold customers and 
capital captive. 


Ownership rates of unsecured credit cards 
are vastly higher in the United States than in 
Europe. A Morgan Stanley Dean Witter report 
highlights the critical difference that available 
credit histories make, noting that “it]he biggest 
obstacle to new entrants” in many European 
countries “is the lack of a centralized credit 
bureau.” 


4. Speed and Convenience 

The depth of information in U.S. credit reports 
enhances the speed of credit and other financial 
service decisions. Even very significant deci- 
sions about financing a college education or a 
new home or writing automobile or homeown- 
ers insurance are often made in a matter of 
hours or minutes, instead of days and weeks as 
is the case in most other countries, because 
credit history data is readily accessible. In 
2001, 84 percent of automobile loan applicants 
in the United States received a decision within 


Table 2. Credit Card Ownership, 1997 (per 1000 people in population) 


Country 

Superpremium + 
Premium 

Corporate 

Standard 

Total 

United States 

650.4 

20.9 

945.0 

1616.3 

United Kingdom 

91.3 

22.5 

546.7 

660.5 

Belgium 

53.0 

6.9 

197.4 

257.3 

Netherlands 

38.3 

9.4 

195.9 

243.5 

Spain 

26.5 

4.3 

212.0 

242.8 

Sweden 

44.2 

46.4 

85.8 

176.4 

Germany 

39.7 

4.6 

127.8 

172.0 

Italy 

18.2 

9.7 

109.1 

137.0 

France 

25.1 

3.1 

68.3 

96.6 


Source: Lyn C. Thomas, David B. Edelman, and Jonathan N. Crook, Credit Scoring and its Applications, Society for Industrial and 
Applied Mathematics, Philadelphia. 2002, p 212. 
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an hour; 23 percent of applicants received a 
decision in less than 10 minutes. Many retailers 
open new charge accounts for customers at the 
point of sale in less than two minutes. 
According to Federal Trade Commission 
Chairman Muris: "Many fail to appreciate that 
the average American today enjoys access to 
credit and financial services, shopping choices, 
and educational resources that earlier 
Americans could never have imagined. . . . 

What I personally find most astounding is . . . 
the ‘miracle of instant credit.’” Muris concluded: 
“This ‘miracle’ is only possible because of our 
credit reporting system.” 


5. Catalyst to Productivity Growth 

Portable credit “reputations” give consumers 
greater mobility and enhance their ability to 
respond to change. From a labor market 
perspective, the credit reporting system under 
FCRA has increased our mobility as a society, 
so that structural shifts within the economy 
can cause temporary disruptions but without 
crippling long-term effects. There is less risk 
associated with severing old relationships and 
starting new ones, because objective informa- 
tion is available that helps us to establish and 
build trust in new locations more quickly. 
Economist Walter Kitchenman has described 
the “almost universal reporting” of personal 
information about consumers as not only the 
“foundation” of consumer credit in the United 
States,” but also as the “secret ingredient of the 
U.S. economy’s resilience.” 

In contrast, more restrictive, and inconsis- 
tent, credit reporting laws prevent European 
consumers from taking full advantage of their 


complete credit histories. The fact that credit 
information is not mobile restricts the mobility 
of consumers, because of the resulting difficulty 
of obtaining credit from new institutions. In 
fact, European consumers, although they 
outnumber their U.S. counterparts, have access 
to one-third less credit as a percentage of gross 
domestic product. 


6. Reduced Costs 

Comprehensive credit reports have improved 
the competitiveness and efficiency of credit 
markets, led to powerful improvements in risk- 
management technology (like credit scoring), 
and created more product choices and better 
tools for assessing and managing risks, thereby 
avoiding delinquencies and defaults. All of this 
ultimately lowers the cost of credit to consumers. 

Reliable, centralized, and standardized 
consumer credit information also makes it possi- 
ble to pool consumer loans and then sell them to 
investors. A Tower Group study concluded that 
U.S. mortgage rates are two full percentage 
points lower than in Europe because it is 
possible to securitize and sell mortgage loans. 
Consequently, American consumers save as 
much as $120 billion a year on $6 trillion of out- 
standing mortgages because of the efficiency and 
liquidity that credit report data make possible. 

By making refinancing easy and fast, the 
U.S. credit reporting system also allowed eleven 
million homeowners to refinance their home 
mortgages to take advantage of lower interest 
rates during just a 15-month period in 2001 
and early 2002, thereby saving an estimated 
$3.2 billion annually in mortgage payments. 
Moreover, improved risk assessment and 
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sharing — by spreading risks over a larger pool 
of capital and a larger number of investors — 
lowers the cost of capital, thereby making credit 
available to consumers more affordably. 

The economic benefits of nationwide credit 
reporting are so great and so ubiquitous that 
the cost to consumers of having a less robust 
system could easily range into the hundreds of 
billions of dollars annually. 


7, Public Safety and Security 

Credit reports have long proved a useful and 
convenient way to check for past criminal 
convictions when employing school bus drivers, 
child care workers, security guards, and people 
to fill other sensitive positions. They are an 
important tool in preventing financial fraud, 
because they provide a comprehensive picture of 
an individual’s financial dealings. They are also 
becoming an increasingly potent weapon in the 
fight against identity theft and terrorist threats. 


The Threat of New 
Restrictions on Credit 
Reporting 

Proposals to abandon preemption, or to enact 
new federal or state restrictions on those criti- 
cal aspects of credit reporting that are currently 
the subject of preemption, threaten the diverse 


array of benefits that flow from the current 
credit reporting system under the FCRA. While 
most aspects of credit reporting are vulnerable 
to the high costs of state or local regulation, 
some are especially at risk. This explains why 
Congress first preempted state-level regulation 
in these areas in 1996. 

The Special Vulnerability of Furnishers 
of Credit Report Data 

Because no one is required to provide 
information to credit bureaus, if furnishers of 
information faced significant compliance 
burdens or liability, as would be the case if 
complying with separate and even inconsistent 
state laws, they would be more likely to stop 
contributing the information. Imposing liability 
for errors or significant additional burdens on 
the furnishers of consumer data to credit 
bureaus would discourage firms from reporting. 
Even the absence of a small amount of 
relevant information from credit reports could 
dramatically reduce their usefulness and lead 
to less accurate credit decisions and less access 
to credit for people who need it most. 

Obsolescence Determinations 
The 1996 amendments also precluded states 
from regulating when data would be considered 
“obsolete” and therefore could not be included 
in credit reports. Currently, derogatory informa- 
tion must be excluded from credit reports after 
seven years (with the exception of a notice of 
bankruptcy, which may remain for ten years). 
State-by-state or accelerated obsolescence 
determinations would undermine the predictive 
value of credit reports. 
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Opt-in Consent 

The 1996 amendments to the FCRA explicitly 
authorized the sharing of eredit report data 
among affiliated companies and with anyone for 
the purpose of marketing credit or insurance 
opportunities to consumers, provided that 
consumers are given an opportunity to opt out 
of that sharing. Proposals to move to an opt-in 
system are certain to impose new costs on con- 
sumers because opt-in requires each company to 
gain explicit consent from each consumer prior 
to using personal information to target its mar- 
keting efforts. Yet consumers are remarkably 
difficult and expensive to contact individually. 

Opt-in is especially inefficient in the context 
of credit granting because it requires that every 
consumer be contacted, even though only a 
portion will qualify for an offer of credit. Those 
who do qualify will have to be contacted twice — 
once for permission to use the data and again 
to make the offer. Moreover, credit bureaus 
usually have no relationship or direct contact 
with the consumer. Individuals are less likely to 
pay attention or respond to requests for consent 
from companies with which they have no deal- 
ings. Put simply, the consensus of studies and 
company experience is that conditioning the use 
of information on opt-in consent is tantamount 
to banning the use outright. 

This makes an opt-in system for prescreen- 
ing and sharing credit report data among affili- 
ated companies an especially great impediment 
to the emergence of new market entrants and 
the development of innovative products and 
services, which, in turn, threatens the lower 
prices and enhanced choice that competition 
facilitates. Opt-in for prescreening and affiliate- 


sharing restrains competition and the benefits 
that flow from it. 

National Credit Reporting 
Virtually all of the benefits to individuals and 
the economy from the current U.S, reporting 
system result from its national character. 
National credit reporting made possible 
national competition in the market for credit 
and other financial services. Moreover, U.S. 
consumers are remarkably mobile, thanks in 
part to the ubiquitous availability of credit 
reports. Regulating credit histories state-by- 
state would ill serve consumers as they move, 
commute, and deal with business from across 
state lines. It would leave holes (potentially 
large ones) in credit files. Moreover, the fact 
that those holes could exist would greatly 
reduce the reliability of credit reports. 

The cost of determining which state law 
or laws applied, and of complying with those 
laws, could easily undermine the credit 
reporting system. That system deals in huge 
volumes of data — over 2 billion trade line 
updates, 2 million public record items, an 
average of 1.2 million household address 
changes a month, and over 200 million 
individual credit files. Its viability depends on 
exceptional efficiency and low marginal costs 
of updates, which, in turn, keep the cost of 
providing credit reports low. Moreover, a 
national standard offers better and more 
consistent privacy protection. This undoubtedly 
explains why privacy advocates have 
historically argued for the need to replace 
state and local laws with a single, uniform 
privacy standard. 
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Conclusion 

By limiting the term of preemption to seven 
years, Congress provided a specific opportunity 
for policymakers to determine how well the 
national credit reporting system under the 
FCRA has served the public. The available 
evidence — economic and otherwise — 
demonstrates that the voluntary national credit 


reporting system that has evolved under 
FCRA has generated extraordinary benefits 
for individual consumers and the nation as a 
whole, and has helped to make the United 
States the world leader in the development of 
competitive consumer and mortgage credit 
markets. Proposals to depart from a national 
reporting system by allowing states to 
intervene run the risk of upsetting the carefully 
balanced interests under FCRA, and diluting 
the benefits that flow from the existing system. 
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Introduction 

Credit reporting in the United States evolved 
during the twentieth century as a market- 
driven response to creditors’ need to determine 
the likelihood that borrowers would repay 
loans. The credit reporting industry was largely 
unregulated until passage of the Fair Credit 
Reporting Act (FCRA) in 1970. 3 In the FCRA, 
Congress struck a balance that was intended to 
encourage more voluntary reporting of 
consumer borrowing and payment histories, 
while promoting greater accuracy in reporting 
and addressing consumers’ privacy concerns 
regarding uses of credit report information. 

In 1996 Congress amended the FCRA to 
expand the permissible uses of credit report 
data, further encourage the accuracy of 
reported information, and give consumers new 
opportunities to oversee the use of information 
about them. 4 The amendments were enacted 
following years of hearings and debate and 
continued to reflect the careful balancing of 
commercial and consumer interests that was 
the hallmark of the original statute. However, 
by 1996 a rising tide of state-level privacy 
legislation was threatening to disrupt the 
balance by subjecting key elements of the 
increasingly national credit reporting system to 
inconsistent state standards. 5 Thus, a critical 
component of the 1996 amendments that was 
intended to preserve the national reporting 
system was the preemption of state and local 
laws that would impact specific core elements 
of the credit reporting system. 

In the 1996 amendments. Congress 
preempted those elements of the FCRA that 
were considered most important for preserving 


a voluntary, market-driven credit reporting 
system that protected consumer privacy but 
also supported widespread access to credit. 
Specifically, Congress prohibited state laws 
dealing with: 

1. Responsibilities of those who furnish 
data to be included in a credit report. 

2. Responsibilities of persons who take 
adverse action based on a credit report. 

3. Time to investigate and take appropri- 
ate action regarding disputed credit report 
information. 

4. Time periods for which specific items 
of adverse information may be included in 
consumer credit reports. 6 

5. Sharing of information — not just from 
credit reports— among affiliates.' 

6. Use of credit report data for “prescreen- 
ing” credit information for the purpose of 
marketing credit or insurance opportunities to 
consumers, provided that credit bureaus 
establish and publish a toll-free telephone 
number that consumers can call to opt out of 
prescreening. 6 


Fair Credit Reporting Act of 1970, Pub. L. No. 91-508, 84 
Stat. 1114 (codified at 15 U.S.C. §§ 1681-16810. 

1 Consumer Credit Reporting Reform Act of' 1996, enacted 
as title II, subtitle D, chapter 1 of the Omnibus Consolidated 
Appropriations Act for Fiscal Year 1997, Pub. L. No. 104-208, 
104th Cong., 2d Sess. §§ 2401-2422 (Sept. 30, 1996) (codified 
at 15 U.S.C. 5§ 1681-16810. 

' The more than 3000 credit bureaus operating in 1971 had 
shrunk to fewer than 600 by 1996, and those were already 
well on the way to evolving into three national automated 
reporting systems — Equifax, Experian, and TransUnion. 

" 15 U.S.C. § 168 It. 

■ 15 U.S.C. § 1681a(d)(2)(A)(iii). The 1996 amendments 
excluded two provisions of Vermont law that regulated 
affiliate-sharing. Vermont Stat. Ann., tit. 9. §§ 2480ela), 
2840e»cXl). 

J Id. § 1681b(cX5>. 
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7. Notices to be included with prescreened 
solicitations. 

8. Summary of consumer rights to be 
provided to individuals. 

States are free to regulate other aspects of 
the credit reporting system, and they continue 
to play an important role in enforcement and 
education, but in the eight areas specified in 
the statute, federal law alone has controlled 
since 1996. 

However, in the face of ongoing, rapid, and 
often dramatic changes in technologies and 
markets. Congress provided that preemption 
would expire on January 1, 2004. Thus, the 
compromise that prohibited state-by-state regu- 
lation in the core preempted areas also ensured 
that there would be both an opportunity and a 
need to assess the impact of imposing uniform 
national standards, as well as to reevaluate the 
specific provisions of the FCRA in an evolving 
national market. 

As the January 1, 2004 deadline nears, 
some privacy advocates and legislators are 
urging Congress to drop federal preemption 
from the FCRA and allow states to regulate the 
central elements of credit reporting. Abandoning 
uniform national standards would mark a 
radical change in a credit reporting system that 
has evolved almost entirely without state or 
local regulation of its core functions. Such a 
step puts at risk the existing national reporting 
system and all of the benefits that flow from it 
as the foundation for the most dynamic 
consumer and mortgage credit markets in the 
world. Preemption should therefore not be 
abandoned without assessing carefully (1) how 
well the current national credit reporting 
system under the federal FCRA has served the 
American public and economy, and (2) the risks 
to consumers and commerce of subjecting that 


national system to state and local regulation or 
of adopting significant new restrictions on 
credit reporting. 

There has been surprisingly little 
comprehensive study of the overall impact of 
the robust credit reporting system that has 
evolved in the United States. In this report, 
we seek to fill that gap, drawing on the most 
relevant evidence from diverse sources, 
including economic analyses, case studies, 
policymaker statements, and government and 
industry reports. 9 


Benefits that Flow 
from the Existing 
National Credit 
Reporting System 

The most remarkable discovery we have made 
is the consistency across the wide range of 
material we have reviewed. Without significant 
exception, the evidence demonstrates that the 
balance struck by the FCRA has facilitated the 
development of the most robust credit informa- 
tion system in the world. In turn, that system 
has generated extraordinary benefits for 
individual consumers, businesses, and the U.S. 
economy. The United States is unique in 
achieving a remarkable combination of 
(a) widespread access to credit across the age 

''This paper focuses primarily on consumer and mortgage 
credit markets, but it should be noted that the credit 
reporting system also directly benefits markets for 
insurance, apartment rentals, cel! phones service contracts, 
utilities, and a variety of other types of transactions. 
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and income spectrum, (b) relatively low interest 
rates on secured loans (e.g., home mortgages, 
automobiles), (c) exceptionally broad access to 
open end, unsecured lines of credit (e.g., bank 
card products), and (d) relatively low default 
rates across all types of consumer loans. Below’ 
we describe categories of benefits to consumers 
and the U.S. economy from the credit markets 
supported by the FCRA. 


Consumer Access and Usage of Credit 

Broad Credit Access Across the U.S. Population 
Consumer and mortgage credit underpins much 
of the consumer spending that accounts for over 
two-thirds of U.S. gross domestic product and 
has been a key driver of U.S. economic growth. 
U.S. households collectively hold about §6 
trillion in mortgage loans and another $1.7 
trillion in auto loans, credit card balances and 
other personal loans. 10 Total household credit as 
a percent of Personal Disposable Income in 
2000 was 106 percent in the United States, 
compared to an average of about 68 percent 
across the European Union and Japan (see 
Figure l).”The greater availability of credit in 
the United States is no coincidence. Economists 
have found that the volume of consumer and 
mortgage lending rises as a direct result of 
greater information sharing within a country’s 
credit reporting system, and the United States 
has the most complete, timely, and reliable 
credit histories of any country.' 2 

In 2001, 75 percent of U.S. households 
participated in the consumer and mortgage 
credit markets and held some type of debt. 
Sixty-eight percent of U.S. households owned 
their own homes, and nearly two-thirds of these 


Rgore 1 

Total Household Credit as a Percentage of 
Persona! Disposable Income (2000) 



U.S Canada £U Ave'age Japan Biaai 


homeowners had some type of mortgage loan. 13 
Those mortgages made it possible for U.S. 
consumers to purchase 516,000 single-family 
homes every month , on average during 2001. 
According to the National Association of Home 
Builders, the construction of housing and the 
value of housing services produced by the 
housing stock accounts for about 14 percent of 
U.S. GDP. Moreover, in the first twelve months 
after purchasing a newly built home, the 
new owners spend an additional $8,905 on 
furnishings and improvements, more than twice 
the amount spent in a year by non-moving 
homeowners.' 4 These additional expenditures, 
most of which are financed via some type of 
consumer credit, help to fuel economic growth. 
About 73 percent of all households owned at 
least one general purpose credit card (e.g., Visa, 
MasterCard, Discover, American Express) in 

Federal Reserve Board <www.federalreserve.gov>. 

11 “Global Growth, Local Challenge,” Morgan Stanley 
Research, Mar. 21, 2001. 

Tullio Jappelli and Marco Pagano, ‘Information Sharing, 
Lending and Defaults: Cross-Country Evidence.” Journal, of 
Banking and Finance , Vol. 26, 2002, pp 2017-2045. 

:l! Federal Reserve Board, 2001 Survey of Consumer 
Finances. 

!J National Association of Home Builders <www.nahb.com>. 
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2001. 15 Consumer credit also financed the 
purchase or lease of 1.4 million cars, SUVs and 
light trucks in the average month during 2001. 
Nearly a third of all households had automobile 
loans or leases. Across 200 million individual 
credit reports on file with the major U.S. 
repositories, the average U.S. consumer-borrow- 
er had eleven open accounts (seven credit cards, 
four installment or real-estate-secured loans). 16 
Credit market participation is remarkably wide 
and deep. 

Figure 2 illustrates the striking growth in 
household credit in the United States as a per- 
cent of Personal Disposable Income over the 
past 40 years. The key point is that the role of 
household credit in the U.S. economy, especially 
mortgage credit, has grown dramatically since 
passage of the FCRA. To be sure, population 
demographics (e.g., the coming of age of the 
baby boomers) and other economic factors have 
much to do with credit growing faster than 
Personal Disposable Income since 1980. 
Nevertheless, the credit reporting system 
provided the essential ingredients for an 
innovative marketplace to respond to a 
burgeoning demand for credit. 


Consumer Credit and the U.S. Economy 

For many years, growth in consumer indebted- 



ness has been viewed negatively by both the 
business press and Wall Street analysts. 17 Rising 
debt loads are treated as warning signals of 
impending slowdown in consumer spending. 
However, academic research in the 1990s has 
begun to turn this viewpoint on its head. In a 
recent article that reviews this research, Federal 
Reserve Board economist Dean Maki concluded: 
“In stark contrast to the view that growth in 
consumer indebtedness is a negative force 
threatening future spending, a consensus seems 
to be emerging from recent research that 
consumer credit growth is positively related to 
consumption in future periods.” 1 * 

Simply put. credit growth is an expression 
of optimistic consumer expectations regarding 
future income. When consumers feel good about 
their personal financial outlook, and credit 
markets do not impose liquidity constraints, 
consumer borrowing and spending rises. Credit 
markets help translate optimism into real 
economic activity. In this way, smoothly 
functioning credit markets facilitate and extend 
economic expansion. 


Ana M. Aizcorbe, Arthur B. Kennickell and Kevin B. Moore, 
“Recent Changes in U.S. Family Finances: Evidence from the 
1998 and 2001 Survey of Consumer Finances," Federal 
Reserve Bulletin. Jan. 2003, pp 1-32. 

** Consumer Data Industry Association 
<www.cdiaonline.org>. 

An interesting analysis of journalistic reporting on the 
impact of consumer debt trends on the macro-economy finds 
that it has been consistently (and inappropriately) skewed 
toward the negative for the past 50 years. See Thomas A. 
Durkin and Zaehariah Jonasson, “An Empirical Evaluation 
of the Content and Cycle of Financial Reporting: The Case of 
Consumer Credit,” Credit. Research Center Working Paper 
No. 64, McDonough School of Business, Georgetown 
University, Apr. 2002. 

" Dean M. Maki, “The Growth of Consumer Credit and the 
Household Debt Service Burden,” in The Impact of Public 
Policy on Consumer Credit, eds. Thomas A. Durkin and 
Michael E. Staten, Kluwer Academic Publishers, 2002, 
pp 43-63. 
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Consumer credit allows households to 
transfer consumption from periods where 
household income is high to periods where 
income is low. This is particularly important for 
householders early in the life-cycle (ranging in 
age from the early 20s though their 40s) when 
the demand for housing, durable goods and 
education is relatively high, and incomes are 
relatively low but expected to rise over time. 
U.S. credit markets are the most efficient in the 
world at allowing households to smooth their 
consumption patterns over time, rather than 
postpone major purchases until incomes and 
asset holdings build to sufficient levels. 

Because credit reports have allowed 
creditors to extend loans and establish lines 
of credit for a much wider segment of the popu- 
lation, as we discuss in greater detail below, 
tens of millions of households have access to a 
credit “bridge” that can sustain them through 
temporary disruptions and declines in incomes. 
Research has shown that credit markets that 
make loans accessible to large segmen ts of the 
population provide a cushion that neutralizes 
the macroeconomic drag associated with 
temporary declines in income, lowering the 
risk of outright recession and reducing the 
magnitude of downturns when they do occur . 19 

Evidence from overseas markets supports 
the conclusion that the United States enjoys a 
macroeconomic growth advantage as a conse- 
quence of its well-developed consumer credit 
markets. Cross-country studies have found that 
credit availability and consumption fluctuations 
are linked. Specifically, consumer spending is 
more sensitive to changes in income in 
countries with less-developed consumer credit 
markets, especially during periods of tighter 
credit constraints. 2 " In contrast, during the past 
two decades since financial deregulation 


significantly altered U.S. credit markets, credit 
constraints have become less of a factor in 
explaining shifts in household spending, 
because markets are making credit available to 
a wider range of borrowers and doing it more 
consistently through the business cycle. 

The growing importance of consumer credit 
markets to the strength and resiliency of the 
U.S. economy is a direct consequence of the 
credit reporting system that provides the foun- 
dation for millions of loan decisions annually. A 
recent study of 43 countries found that total 
bank lending to the private sector (scaled by 
country GNP) is larger in countries where 
information sharing is more solidly established 
and intense, even after controlling for factors 
such as country size, growth rates and the legal 
environment.- 5 Consequently, the macroeconomic 
benefits from smoothly functioning consumer 
credit markets can be linked back to the estab- 
lishment of a comprehensive system for sharing 
consumer borrowing and payment histories. 

Impact of Credit Reporting on Traditionally 
Underserved Americans 

One of the more remarkable achievements 
attributable to the development of comprehen- 
sive credit reporting is the increased access to 
credit down the household income spectrum in 
the U.S. over the past three decades. Recall that 

’* Dirk Kreuger and Fabrizio Perri, ■‘Does Income Inequality 
Lead to Consumption Inequality? Evidence and Theory,” 
National Bureau of Economic Research Working Paper No. 
W9202, Sep. 2002. 

w Tulio Japelli and Marco Pagano, “Consumption and Capital 
Market Imperfections: An International Comparison.” 
American Economic Review, Dec. 1989; Phillipe Bacehetta 
and Stefan Gerlach, “Consumption and Credit Constraints: 
International Evidence." Journal of Monetary Economics, 

Oct. 1997. 

Japelli and Pagano, id. 
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the FCRA was implemented in 1971. Figure 3 
below displays the change in the percentage of 
U.S. households that had access to and used 
non-mortgage credit (i.e., closed-end automo- 
bile, education and other personal installment 
loans, plus open-end credit card accounts and 
lines of credit) between 1970 and 2001. The 
largest gains were in the lower end of the 
income spectrum. The proportion of households 
in the lowest fifth of the income distribution 
who had access to consumer credit jumped by 
nearly 70 percent over the period. Participation 
by households in the second lowest income 
quintile rose by 29 percent. By contrast, growth 
in the highest and second highest income 
quintiles averaged less than 5 percent. 

Figure 3 illustrates that the growth in the 
national credit reporting system under the 
guidance of the FCRA has facilitated an 
increase in the number of Americans who now 
qualify for credit. The intuition behind this is 
straightforward. Detailed and reliable informa- 
tion on past payment behavior gives creditors 
confidence in assessing the creditworthiness of 
new borrowers. It allows them to design 
products to meet the credit needs of previously 
underserved populations. Credit reports allow 
businesses from hundreds of miles away to 
provide credit to people they have never met 



who are located in small towns and rural areas 
and who otherwise have limited access to those 
opportunities. 

Put simply, accessible credit information 
“democratizes” financial opportunity; because of 
the underlying credit reporting network, U.S. 
consumers can get credit, insurance and a host 
of other financial services based on their indi- 
vidual records, not their family name or how 
long they have known their banker. In addition, 
they can rent apartments, purchase cell phones 
and cable television services, and rent automo- 
biles without either large deposits or an estab- 
lished relationship with the service provider, all 
because their reputation for paying as agreed is 
documented through their credit reports. 

The U.S. credit reporting system benefits 
traditionally underserved segments of the 
population in other ways as well. Research on 
U.S. income inequality has found a stubborn 
pass-through of low economic status from 
generation to generation. Studies underway at 
the Federal Reserve Bank of Chicago are 
finding that “(all though the underlying factors 
that cause substantial (income) immobility in 
the United States remain poorly understood, 
some preliminary work suggests that borrowing 
constraints among families with low net worth 
may play a role in perpetuating income 
inequality.” For example, the author suggests 
that families facing credit constraints may have 
neither the assets nor the ability to borrow 
against future income to invest properly in 
their children’s education.** 

Because the credit-reporting infrastructure 
helps to support broader access to credit it can 
enhance asset and wealth accumulation. This 

See Bhash Mazumder, “Analyzing Income Mobility Over 
Generations." Chicago Fed fatter. Number 181, Sep. 2002. 
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Table 1 . Home Ownership Rates Among Younger Borrowers 


Country 

% Home Ownership Among 
Population Aged 26-35 

Average % Downpayment, 

1991-1995 

United States 

49.3 

11 

United Kingdom 

63.8 

5 

Spain 

40.0 

20 

France 

35.0 

20 

Italy 

23.2 

40 

Germany 

18.5 

20 


Source: Chiuri and Jappelli, 2002. 


effect is most pronounced for younger house- 
holds. As mentioned earlier, young households 
generally face tighter credit constraints. 
Younger borrowers have incomes that are 
relatively low but expected to rise, and high 
demand for the big-ticket purchases associated 
with family formation (housing, automobiles, 
education). Economists studying household 
survey data in the United States from the 
early- 1980s found at that time that young 
households faced liquidity constraints 
(restricted access to credit) that left them with 
as much as 75 percent less credit than they 
would otherwise demand and use if credit were 
more widely available. 1 ® Two decades of expand- 
ed access to credit since then has narrowed that 
gap, to the benefit of young and otherwise 
marginal borrowers on the fringe of the market. 

Home ownership is one of the most 
important steps in the accumulation of wealth. 
Economists have found that home ownership 
rates among younger households vary substan- 
tially across developed countries, and the reason 
is linked to differences in credit reporting. A 
study of home ownership rates in 14 countries 
(including eleven EU countries, Canada, the 
United States, and Australia) found that the 


cross-country variance in the required 
downpayment for a mortgage loan is a key 
determinant of differences in the timing of 
home purchase. The authors concluded that 
factors that foster the increased availability of 
mortgage loans and increased competition 
among mortgage lenders would lead to earlier 
home purchase behavior. In particular, the 
authors cited the extent of credit reporting 
(amount of information available in consumer 
credit report files) as a key factor, noting 
substantial variance in file content across the 
sampled countries. Lenders in the United 
States, Canada, and the United Kingdom can 
require less collateral (i.e., a lower down 
payment) as a hedge against the likelihood of 
default because borrower credit histories are 
more complete. These countries are among the 
leaders in terms of home ownership among 
younger households. In contrast, in countries 
where the exchange of credit history data is far 
more limited (e.g., France, Italy and Spain) 
down payments are higher and the degree of 


'' Donald Cox and TuUio Japelli, “The Effect of Borrowing 
Constraints on Consumer Liabilities,” Journal of Money, 
Credit and Banking , Vol. 25, No. 2, May 1993, pp 197-213. 
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home ownership among younger households is 
significantly lower.- 1 

There is no question that the comprehen- 
sive borrowing and payment histories contained 
in U.S. credit reports have facilitated a boom in 
mortgage lending to “subprime” borrowers, 
opening the door to wealth-building through 
home ownership. Subprime mortgage customers 
are households for whom the cost of mortgage 
credit would be significantly higher than the 
prevailing “prime” rate in the conventional 
mortgage market. Borrowers may be deemed 
subprime for a variety of economic reasons, 
including: credit problems in the past; too much 
existing debt relative to income; short, thin or 
non-existent credit histories; self-employment 
income that is irregular or otherwise difficult to 
document; low downpayment and few liquid 
assets. Subprime mortgage borrowers are often 
younger, lower-income or minority households. 
These borrowers were either on the fringe or 
entirely outside of the U.S. mortgage market 
just a decade ago. 

Subprime mortgage lending experienced 
rapid growth during the boom years of the 
1990s. New lending by subprime mortgage 
specialists rose from less than $30 billion in 
1993 to over $213 billion in 2002. 25 Subprime 
originations accounted for about 9 percent of all 
residential mortgage originations in the United 
States in 2002. 

Why did such rapid growth occur in a 
previously underserved segment of the market? 
To a large degree it was a combination of (a) 
the availability of detailed credit report data, 

(b) the legal ability to implement risk-based 
pricing, and (c) the adoption of statistical risk 
scoring technology by the mortgage industry 
which allowed risk to be rapidly and consistent- 
ly measured. In an analysis of home ownership 


trends since the late 1980s, Federal Reserve 
Board economists Rafael Bostic and Brian 
Surrette concluded that “something dramatic 
has taken place in the home ownership process 
faced by lower-income families.” 26 Eight million 
more U.S. households became homeowners by 
the end of the 1990s than was the case at the 
start of the decade. Home ownership rates rose 
more sharply for African Americans, Hispanics, 
and lower-income families than for other 
groups between 1989 and 1998, but only a 
small part of these gains were attributable to 
improvements in their incomes or economic 
circumstances. Bostic and Surette found that a 
substantial share of the improvement was due 
to changes in the ways that mortgage markets 
function, and cited significant innovation 
among mortgage lenders in terms of risk meas- 
urement and the ability to develop and tailor 
new products for specific population segments. 

The ability of lenders to develop products 
to (profitably) serve new borrowers and a 
wider segment of the population is critically 
dependent on the presence of accurate and 
timely credit report data. It is to this critical 
role of credit report data to support accurate 
decision-making that we now turn. 


Maria Concetta Chiuri and Tullio Jappelli, "Financial 
Market. Imperfections and Home Ownership: A Comparative 
Study," manuscript. Department of Economics, Universita di 
Salerno, 2002. 

Inside B&C Lending, Vol. 8, Issue 3. Feb. 3, 2002. 

* Raphael W. Bostic and Brian J. Surette, “Have the Doors 
Opened Wider? Trends in Homeownership Rates by Race 
and Income.” Federal Reserve Board Working Paper, Apr. 
2000 . 
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More Accurate Decision-Making 

Piercing the “Fog of Uncertainty" 

It is no exaggeration to say that credit bureau 
data has become the cornerstone of the $7 
trillion consumer lending industry in the 
United States. With access to the deepest, most 
comprehensive consumer payment histories in 
the world, U.S. creditors now apply statistical 
scoring models to estimate an individual’s 
repayment risk on virtually every type of con- 
sumer loan transaction, including home mort- 
gages. Creditors use scoring to set and adjust 
virtually every dimension of the loan relation- 
ship, including the initial application decision, 
pricing, collateral requirements on secured 
loans, size of credit line on unsecured credit 
cards, authorization of purchases at the point 
of sale, decisions to cross-sell other financial 
products, and the appropriate steps to collect 
the debt if the account becomes delinquent, or 
even looks like it might become delinquent. 27 

The credit report helps lenders pierce the 
“fog of uncertainty” that characterizes the risk 
assessment for a potential new borrower. 
Lending markets almost always display what 
economists call an “information asymmetry" 
between borrowers and lenders. Borrowers 
typically have more accurate information than 
lenders about their likelihood of repaying a 
loan. Lenders have an obvious incentive to 
evaluate the borrower’s creditworthiness, and 
the outcome will affect whether to approve the 
loan as well as its price. Borrowers have an 
incentive to signal their true risk (if it is low) or 
disguise it (if it is high). Given the amount of 
the loan principal at stake, both parties have 
incentives to incur costs (often large ones) to 
reduce the information asymmetry, and these 


actions have significant consequences for the 
operation of credit markets. The emergence of 
the third-party credit bureau to compile bor- 
rower credit histories and distribute them to 
lenders significantly lowers the cost to all par- 
ties of measuring borrower risk. 2 * 

Credit reports in the United States contain 
factual information about consumers’ current 
and past credit experience that is compiled over 
time, from a wide range of sources, and updated 
daily. Rather than relying on data from a single 
source or a snapshot of a borrower at a single 
moment in time, creditors (as well as insurers, 
employers and other businesses with a permis- 
sible purpose) can see a far more complete 
picture of present and past credit behavior. In 
the words of Federal Trade Commission (FTC) 
Chairman Timothy Muris: The extraordinary 
amount and variety of consumer credit 
available in the United States is made possible 
“because, without anybody’s consent, very 
sensitive information about a person’s credit 
history is given to the credit reporting 
agencies.” 29 Such a complete credit report 
helps lenders pierce the “fog of uncertainty” 
surrounding new applicants. The result is a 
better match of borrowers to loans. 

More efficient matching of loans and 
borrowers produces significant benefits for both 
consumers and the economy. Economists John 
Barron and Michael Staten conducted a study 


31 Paul Demery, “How Technology Boosted Plastic,” Credit 
Card Management 10th Anniversary Edition , May 1998, 
pp 42-45. 

•“ For the seminal article on the role of credit bureaus in 
making credit markets more efficient see Marco Pagano and 
Tullio Japelli, “Information Sharing in Credit Markets,” 
Journal of Finance, Dec. 1993, pp 1693-1718. 

• 5 Timothy J. Muris, Protecting Consumers' Privacy: 2002 and 
Beyond , Privacy 2001 Conference. Oct. 4, 2001. 
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that simulated the effect in the United States 
of imposing restricted credit reporting rules 
such as those in Australia (which allows the 
reporting of negative, or default, information 
only) and various Latin American countries 
(which developed fragmented, industry-specific 
reporting systems). 30 An example illustrates 
the general conclusions. To achieve the same 
default rate experienced with loans made in the 
U.S. reporting environment, creditors that were 
constrained to using the sharply limited credit 
bureau data present under Australian rules 
would extend new credit to 11,000 fewer 
customers for every 100,000 applicants than 
would be the case if they were allowed to use 
the more complete data available under U.S. 
law. The reason is intuitive: when risk assess- 
ment tools have less information available to 
them, creditors are less effective at matching 
loans to creditworthy borrowers. More loans go 
to borrowers who will default. More borrowers 
are rejected who would have repaid. The nega- 
tive impact on worthy borrowers is greatest for 
those who are young, have short time on the job 
or at their residence, have lower incomes, and 
are generally more financially vulnerable. 

These are precisely the borrowers for whom the 
ability to see successful handling of credit on 
the credit report is most important, to offset 
attributes that otherwise make them appear to 
be higher risk. 

A statistically valid credit scoring model 
based on credit bureau data has become the 
most powerful tool for predicting and managing 
risk appropriately. Credit bureau data in the 
United States have been shown to be dramati- 
cally more predictive than application informa- 
tion alone, including borrower income. 3 ' The 
reason is straightforward. Past payment behav- 
ior signals both ability and willingness to repay. 


Creditworthiness can be inferred from the 
degree to which past and existing lines have 
been utilized and whether those payments were 
on time or late. By definition, consumers with 
“good” credit histories have taken the credit 
available to them and, subject to their available 
incomes and economic circumstances, found a 
way to meet and pay their accounts as agreed. 
Risk assessment based on credit bureau data 
rewards those consumers who find a way to 
make their payments. Consequently, as detailed 
credit reports enable lenders to do a better job 
of assessing and pricing borrower risk, they 
also have an important side effect: they rein- 
force borrower incentives to manage credit 
wisely and avoid delinquencies and defaults. In 
this way, credit reporting improves the perform- 
ance of the entire market and lowers the costs 
of making credit available. 32 All of this further 
lowers the cost of credit to consumers. 

Credit scoring based on a borrower’s own 
past payment history replaces face-to-face 
attempts to evaluate character and capacity 
(common a generation ago) with a less invasive, 
more accurate assessment based on document- 
ed prior behavior. Lending decisions are faster 
and more equitable. There is less opportunity 

“ John M. Barron and Michael E. Staten, “The Value of 
Comprehensive Credit Reports: Lessons from the US. 
Experience,” in Margaret Miller, ed,, Credit Reporting 
Systems and the International Economy, MIT Press, 2003. 

1 Gary G. Chandler and Lee Parker, “Predictive Value of 
Credit Reports,” Journal of Retail Banking, Vol. XI, no. 4, 
Win. 1989; Gary G. Chandler and Robert W. Johnson, “The 
Benefit to Consumers from Generic Scoring Models Based 
on Credit Reports," IMA Journal of Mathematics Applied in 
Business and Industry , Vol. 4, No. 1, Oxford University Press, 
1992, pp 61-72; R.B. Avery, R.W. Bostic, P.S. Calem and G.B. 
Canner, “Credit Risk, Credit Scoring and the Performance 
of Home Mortgages," Federal Reserve Bulletin , Jul. 1996, 
pp 621-648. 

7,3 A. Jorge Padilla and Marco Pagano, “Sharing Default 
Information as a Borrower Discipline Device,” European 
Economic Review, Vo). 44 2000, pp 1951-1980. 
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for the loan decision to be influenced by factors 
other than how the borrower has handled credit 
in the past, and standardized credit report data 
make it easier for regulators to verify compli- 
ance with antidiscrimination and other lending 
laws. Moreover, validation of statistical scoring 
models built with credit bureau data prove that 
these inferences are more accurate and consis- 
tent, as well. Federal Reserve Board Chairman 
Alan Greenspan has noted that access to per- 
sonal credit history data makes individual 
financial institutions “more creditworthy and 
efficient and the U.S. financial services sector 
“more transparent and stronger in general .* 33 

Preventing Delinquencies and Defaults 

Furthermore, an under-appreciated aspect of 
today’s risk management technology is that it 
allows lenders to be proactive in preventing 
debt problems, not only in the application phase 
but even for existing accountholders. Credit 
scoring that takes into account the full breadth 
of a borrower’s obligations (and past payment 
history) allows creditors to prevent overexten- 
sion. Scoring is being used to determine 
appropriate intervention for borrowers headed 
for trouble, including possible recommendations 
for credit counseling assistance. 54 The compre- 
hensive credit reports that have developed 
under FCRA give U.S. lenders a much broader 
base of knowledge about a borrower’s financial 
circumstances, and more tools to serve their 
customers. The broader the lender participation 
in the voluntary reporting system, the better 
the information in the credit reports, to the 
benefit of all lenders and borrowers alike. 

Consequently, U.S. delinquency rates are 
low, remarkably so in the face of such high 
penetration of credit products across all income 
segments of the population. In the fourth 


quarter of 2002 only 3.9 percent of all mortgage 
borrowers in the United States were delinquent 
30 days or more 5' Only 4.6 percent of all credit 
card borrowers were delinquent 30 days or 
more on their accounts. 36 Indeed, a scan of 200 
million credit reports revealed that 60 percent 
of U.S. borrowers had never had a payment 
delinquent 30 days or more in the previous 
seven years.* 7 

Despite remarkably low average delinquency 
rates across all U.S. households, some observers 
have worried that previously underserved 
groups may have taken on more new credit 
than they could handle. If this actually 
occurred, it follows that we should expect to see 
evidence of growing household budgetary stress 
throughout the 1990s, the decade of most rapid 
gains in credit accessibility and growth in debt 
relative to income. This would be especially 
apparent among lower income households, 
those revealed in Figures 2 and 3 to have 
experienced the greatest percentage growth in 
participation in credit markets. However, 
Figures 4 and 5 provide little support for such 
an argument. Both figures display data from 
the Federal Reserve’s Surveys of Consumer 
Finances. Figure 4 displays, by income 

; Remarks by AJan Greenspan at the Conference on Bank 
Structure and Competition of the Federal Reserve Bank of 
Chicago, Chicago, IL (May 6, 1999) (emphasis added). 

'■ For examples see: Paul Demerv, “Why Risk Managers 
Expect More," Credit Card Management. 10th Anniversary 
Issue , May, 1998, pp 34-35; Jane Adler, “Two Faces of the 
Card Market,' Collections and Credit Risk, Vol. 7, No. 10, 
Oct., 2002, pp 48-54; Peter Lucas, “Score Updates," 

Collections and Credit Risk, Vol. 7, No. 10; Oct. 2002, 
pp 22-25. 

Source: authors' calculations utilizing TrenData, an aggre- 
gated credit report database product of Trans Union, LLC. 

Id. 

n Consumer Data Industry Association 
<www.cdiaonline.org>. 
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income groups experienced some rise in delin- 
quencies over the course of the past decade. 
However, as in the previous figure, there is lit- 
tle evidence that households in the lowest two- 
fifths of the income distribution experienced 
any greater increase in delinquency (in percent- 
age terms) than households in the other group- 
ings. All of this suggests net positive benefits to 
wider credit access across the income spectrum. 


grouping, the median ratio of households’ debt 
payments relative to their income. With the 
exception of one observation (1998 for 
households in the lowest fifth of the income 
distribution), the share of household income 
devoted to debt service is remarkably similar 
across all income groups, suggesting strong 
self-regulating behavior on the part of both 
borrowers and creditors. 

This is not to deny that some households do 
find themselves with unmanageable debt loads. 
But, as a group, households in the lower two- 
fifths of the income distribution do not carry 
greater debt burdens (payments as a percent of 
monthly income) than higher income house- 
holds, and their burden has not significantly 
increased over the past decade. 

Figure 5 displays the percent of households 
who were delinquent on any debt payment 60 
days or more during the previous year. Not 
surprisingly, the percentage of lower income 
households that experience payment difficulties 
is higher than the delinquency rate for higher 
income households. Relative to higher income 
households, those households in the lower part 
of the income distribution often have incomes 
that are more vulnerable to interruption and 
generally have fewer assets to function as a 
cushion when budgets are tight. Notice that all 



To summarize, in the United States, 
comprehensive credit reports have improved 
the efficiency of credit markets, led to powerful 
improvements in risk-management technology 
(like credit scoring), and brought consumers 
more product choices, lower prices, and more 
equitable treatment. Robust, national credit 
reporting has made it possible for more people 
to have access to more credit without increased 
defaults. 


Enhanced Competition 

Because it dramatically reduces the cost of 
assessing the risk of new borrowers, credit 
report information encourages entry by new 
lenders and greater competition. A significant 
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obstacle to new entry into an established loan 
market is the prospect that the only customers 
interested in the new lender’s product are the 
ones who have been rejected by other lenders 
because of their higher risk. This problem that 
economists call “adverse selection” can sharply 
limit the number of competitors in a market, 
especially if information on a borrower’s past 
credit experience is costly to obtain.* Credit 
report information lowers those costs. It follows 
that the more detailed the credit history 
available to new entrants, the more competitive 
will be the market for new loans. 

The credit card industry provides a prime 
example of the pro-competitive effects of 
nationwide credit reporting in the United 
States. Through the late 1970s, most credit 
cardholders acquired their cards through their 
local financial institutions, often by picking up 
applications at a branch. Choice was limited to 
the number of issuers in the local area who 
happened to offer a card product. Customers in 
smaller towns had fewer choices than residents 
of large cities. Local institutions faced little 
threat of entry into the market by financial 
institutions outside the state or region, a fact 
that was reflected in higher prices and little 
variance in card features. 39 

All of this began to change in the early 
1980s. A key legal decision in 1978 gave 
national banks the ability to launch national 
credit card marketing programs at far lower 
cost than before. 40 The ability under the FCRA 
to acquire information about potential card- 
holder prospects, irrespective of location, made 
it possible for companies — both new and 
established — to enter new geographic markets, 
often with astounding speed. 41 In particular, the 
use of prescreening to target applicants 
provided the jet fuel for the acceleration in card 


offerings and competition. New entrants used 
credit reports and other externally acquired 
information to identify and target low-risk 
borrowers for their low-rate cards throughout 
the United States. Retailers and manufacturers 
introduced their own “co-branded” bank credit 
cards as unique alternatives to the traditional 
Visa and MasterCard products being offered by 
banks. Companies with established products 
and brands outside the financial services 
market (General Motors, General Electric, 
AT&T, Sears) combined data about existing 
customers of their corporate affiliates with infor- 
mation from credit reports and other external 
sources to identify and reach likely prospects. 
Many of these new products came without an 
annual fee and gave consumers an opportunity 
to earn cash rebates or free products and 
services each year depending upon their charge 
volume. Thanks to the success of those new' 
market entrants, cards offering frequent traveler 
miles, rebates, and other consumer benefits have 
become commonplace. 

The wave of new entrants to the bankcard 
market put great downward pressure on the 
finance charge rate and annual fees charged by 

m Giovanni Dell’Ariccia, Ezra Friedman and Robert Marquez, 
“Adverse Selection as a Barrier to Entry in the Banking 
Industry," RAND Journal of Economics, Vo!. 30, No. 3, Aut,. 
1999, pp 515-534. 

For further discussion of competitive conditions in credit 
card markets see Christopher R. Knittel and Victor Stango, 
“Price Ceilings as Focal Points for Tacit Collusion; Evidence 
from Credit Cards,” mimeograph. Federal Reserve Bank of 
Chicago, Nov. 10, 2001. 

*' Marquette National Bank of Minneapolis v. First of Omaha 
Sendee Corp., 439 U.S. 299 (3978). 

“ Following its introduction in 1992, the General Motors 
MasterCard established 2 million accounts and more than 
$500 million of balances in its first 60 days, making it the 
most successful credit card launch in U.S. history. See Martin 
Dickson, “Record Take-Up for GM Card,” Financial Times, 
Nov. 17, 1992, p 26. 
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existing issuers. Incumbent issuers were forced 
to make a choice: either leave their rate 
unchanged and risk defection of their best 
customers to the new, low-rate entrants or cut 
finance charge rates and fees. As a result, 
between 1991 and 1992 the proportion of all 
revolving bankcard balances in the United 
States being charged an APR greater than 18.0 
percent plummeted from 70 percent to 44 
percent in just twelve months. 4 * 


Figure 6 

U.S. Bankcard Ownership by Household Income 
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The ability of new entrants to use credit 
report data to establish and cultivate relation- 
ships with customers thousands of miles away 
has transformed the competitive landscape in 
the United States, injecting price and service 
competition into the credit card market which 
had not been known for either. Economists 
Richard Schmalensee and David Evans 
reinforce this point: “The industry has 
expanded robustly in the past 20 years. 
Output measured by the number of cards 
issued, the amount charged on cards, and the 
amount of charges that are financed, has 
risen dramatically. Prices, as measured by the 
average revenue issuers receive after 
adjusting for charge-offs, have fallen. The 
expansion of the industry has taken place 


through both the continuous entry of new 
issuers and the growth of existing ones.” 4 ' 

Tiered, risk-based pricing based on credit- 
report data made it possible for any given 
issuer to serve a broader range of customers. 

In 2001 a Federal Reserve Board study noted 
that “Many card issuers that in the past 
offered programs with a single interest rate 
now offer a broad range of card plans with 
differing rates depending on credit risk and 
consumer usage patterns.” 44 

Not surprisingly, one consequence of the 
explosion in credit card competition and 
adoption of risk-based pricing has been a 
dramatic increase in the percentage of U.S. 
households owning at least one general-purpose 
bank credit card, from 43 percent in 1983 to 73 
percent by 2001. Figure 6 reveals substantial 
gains in ownership in every income group, but 
the gains were much larger among lower 
income households. Overall, 30 million more 
U.S. households had a bankcard in 2001 than 
was the case in 1983. 

The availability of credit report data 
transformed the competitive landscape of the 
credit card industry in the United States, 


'■ RAM Research Corp., Card Trak. no. 28, April, 1993. To be 
sure, market interest rates (including the prime rate) fell by 
approximately 400 basis points between 1990 and 1994, but 
they also fell by over 200 basis points during the mid 1980s, 
with no comparable decline in credit card interest rates. 
Competitive pressures were much greater by the early 
1990s, forcing issuers to develop innovative pricing strate- 
gies to prevent defection of their best customers. It is no 
coincidence that this was the period during which variable 
rate cards (with interest rates tied to the prime rate or some 
similar index) gained substantial market share. 

i;i David Evans and Richard Schmalensee, Paying with 
Plastic: The Digital Revolution in Buying and Borrowing, 
MIT Press. 2000, p 246. 

w The Profitability of Credit Card Operations of Depository 
Institutions, Board of Governors of the Federal Reserve 
System. Jun. 2001. 
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intensifying price and service competition.*’’ In 
contrast, laws that would inhibit the assembly 
of comprehensive credit reports act as a barrier 
to competition by giving the dominant incum- 
bent lender a monopoly over the information it 
possesses about its customers, and denying new 
market entrants the information needed to 
provide and market competitive services. Such 
laws, Robert Li tan, vice president and director 
of the Economic Studies Program and Cabot 
Family Chair in Economics at the Brookings 
Institution, has written, “raise barriers to entry 
by smaller, and often more innovative, firms 
and organizations.” 4 ' 3 

Ownership rates for unsecured credit cards 
puts the difference in access to credit across 
countries in sharpest perspective. Table 2 com- 
pares the number of cards owned per thousand 
people in the United States verses eight EU 
countries. Ownership rates are vastly higher in 
the United States. Indeed, the rankings in card 
ownership strongly resemble the rankings of 
countries by the amount of detail in credit 
bureau reports. This is all the more significant 
because unsecured, revolving lines of credit are 
considered to be much higher risk than secured 
loans because of the lack of collateral and the 
lender’s exposure in the untapped line. 

Literally, the borrower’s reputation (past and 
future) is the lender’s assurance that the loan 
will be repaid. For this product, comprehensive 
credit reports are the most valuable. 

Although cultural differences across 
country borders surely explain some of the 
variance in card ownership in Table 2, it is 
hard to avoid the conclusion that the presence 
of more detailed credit histories in the United 
States is responsible to a large extent for the 
much higher rate of credit card ownership. 
Indeed, an Industry Report on the global 


credit card industry prepared by Morgan 
Stanley Dean Witter confirms this conclusion 
regarding the impact of the credit reporting 
environment as a boon or impediment to new 
entrants. Of the United Kingdom, the Morgan 
Stanley report had this to say: “Barriers to 
entry are low and new companies are still 
entering. U.K. credit bureaus have access to 
almost as much data as do those in the United 
States, allowing companies to launch targeted 
direct mail campaigns.” 

Their assessment of competitive conditions 
and entry prospects in other European 
countries contrasts sharply. For example, 
“France is a difficult market to crack.” In 
addition to a cartel-like organization that con- 
trols the nation’s merchant terminal structure, 
“[Ijack of a central credit bureau in the 
country is another hindrance, since the credit 
information made available through the 
Banque de France is limited to negative or 
so-called black data. This information is held 
for only one year.” The report’s authors write 
that while “Italy is an open market ” “i'tjhe 
biggest obstacle to new entrants is the lack of 
a centralized credit bureau.” They note that 
“[n]ew entrants in Spain’s revolving credit 
market face some challenges. The lack of 
availability of credit information on consumers 
is one problem, as the country does not have 

r ' One card industry executive remarked in 1998, “Ten years 
ago, credit cards were an under-marketed business. Issuers 
are now more sophisticated in their approach to underwrit- 
ing, pricing and targeting offers at consumers. The entry of a 
lot of powerful marketers like AT&T and General Motors 
woke people up and made them realize they were not as 
aggressive as they could be." See Peter Lucas, “Marketing’s 
Long and Winding Road," Credit Card Management 10th 
Anniversary Edition, May 1998, pp 26-30. 

<6 Robert E. Litan, Balancing Costs and Benefits of New 
Privacy Mandates, AEI-Brookings Joint Center for 
Regulatory Studies Working Paper 99-3, p 11 (1999). 
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centralized credit bureaus to collect and 
exchange credit information ” 47 

Other evidence from Europe provides 
additional confirmation of the relationship 
between robust credit reporting and competi- 
tion. New service providers in financial servic- 
es markets require access to credit data to 
thrive and the presence of comprehensive, 
accurate, and up-to-date credit reports facili- 
tates new competition. Restrictive or ineffi- 
cient credit reporting laws act as a barrier to 
competition by giving the dominant incumbent 
a monopoly over the information it possesses 
about its customers and denying new market 
entrants the information needed to provide 
and market financial services. In Europe, 
where comprehensive credit reports are not 
readily available, financial services are 
provided by far fewer institutions — one-tenth 
the number that serve U.S. customers — 
despite the fact that the pan-European market 
has almost one and one-half times as many 
households. w This means that European 


consumers have fewer choices of companies 
and services, fewer locations at which they can 
obtain financial services, and fewer ATMs — 
one-third the number in the United States — 
at which they can obtain and deposit funds. 43 

In France, for example, the EU country 
with some of the strictest financial privacy 
laws, seven banks control more than 96 
percent of banking assets. 50 Laws that restrict 
the availability of complete, reliable credit 
histories help facilitate this type of 
concentration. The seven dominant French 
banks, each with assets over $100 billion, 

‘ Kenneth A. Posner, Athina Meehan and Geula Daniel, 
Industry Report: Global Credit Cards. Morgan Stanley Dean 
Witter Equity Research, Mar. 21, 2001, pp 75, 78-79, 81. 83. 

Walter F. Kitchenman, The European Union Directive on 
Privacy as a Barrier to Trade 6 (The Tower Group, 2000). 

• Id. 

In particular, France does not allow “positive” credit 
reporting, i.e., delinquent accounts may be reported, but 
lenders may not share information about accounts in good 
standing. Consequently, unless a borrower has had past 
payment difficulties, he has no credit history at all. 


Table 2. Credit Card Ownership, 1997 (per 1000 people in population) 


Country 

Superpremium + 
Premium 

Corporate 

Standard 

Total 

United States 

650.4 

20.9 

945.0 

1616.3 

United Kingdom 

91.3 

22.5 

546.7 

660.5 

Belgium 

53.0 

6.9 

197.4 

257.3 

Netherlands 

38.3 

9.4 

195.9 

243.5 

Spain 

26.5 

4.3 

212.0 

242.8 

Sweden 

44.2 

46.4 

85.8 

176.4 

Germany 

39.7 

4.6 

127.8 

172.0 

Italy 

18.2 

9.7 

109.1 

137.0 

France 

25.1 

3.1 

68.3 

96.6 


Source: Lyn C. Thomas, David B. Edelman, and Jonathan N. Crook, Credit Scoring and its Applications, Society for Industrial and 
Applied Mathematics, Philadelphia, 2002, p 212. 
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already own extensive databases; they have 
no need to share information about their 
customers with anyone. In fact, they don’t 
want to share information about their 
customers. The fact that this system restrains 
innovation, hurts customer choice, and 
increases price is not a great concern to those 
banks because the same system also restrains 
competition and makes it easier to hold 
customers and capital captive. 


Speed and Convenience 

The depth of information in U.S. credit reports 
enhances the speed of credit, insurance, and 
other financial service decisions. Even very 
significant decisions about financing a college 
education or a new home or writing automobile 
or homeowners insurance are often made in a 
matter of hours or minutes, instead of days and 
weeks as is the case in most other countries, 
because credit history data is readily accessible. 
A survey of auto lenders in the United States 
revealed that in 2001, 84 percent of automobile 
loan applicants received a decision within an 
hour; 23 percent of applicants received a 
decision in less than 10 minutes.’ 1 Many 
retailers open new charge accounts for 
customers at the point of sale in less than two 
minutes. According to FTC Chairman Muris: 

Many fail to appreciate that the average 
American today enjoys access to credit 
and financial services, shopping choices, 
and educational resources that earlier 
Americans could never have imagined. 
Today, we can check our credit card and 
bank balances over the phone 24 hours a 


day, we can order books, clothes, or gifts 
online while we are having our first cup 
of coffee in the morning, or we can review 
our finances in a convenient consolidated 
statement whenever we like. What I per- 
sonally find most astounding is what 
occurs all over America at auto dealers 
every day. If consumers have good credit, 
they can borrow $10,000 or more from a 
complete stranger, and actually drive 
away in a new car in an hour or less. I 
call this the “miracle of instant credit.” 52 

The variety and speed of such services are 
unheard of in most other countries where 
restrictive laws often prevent credit bureaus 
from storing sufficient information on consumer 
borrowing and payment behavior to support 
rapid and accurate decision-making. “When you 
think about it,” Muris concluded, “this event is 
extraordinary. This ‘miracle’ is only possible 
because of our credit reporting system.” 53 


Catalyst to Productivity Growth 

The availability of comprehensive and timely 
credit report data contributes to the mobility of 
both labor and capital in the U.S. economy. As a 
result, credit reporting is arguably one of the 
key elements of the U.S. infrastructure that 
underpins the remarkable productivity growth 
of the past decade. 

"■ Consumer Bankers Association, 2002 Automobile 
Financing Survey. 

Si Muris, supra. 

M Id. 
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A number of economic studies have now 
concluded that the proliferation of computer 
and information technology was largely respon- 
sible for the productivity surge in the United 
States. However, what was remarkable about 
this development was that the same factors 
were available worldwide, but for the most part 
we did not witness similar productivity growth 
elsewhere. Economists who study productivity 
growth are increasingly conceding that the 
secret to the flexibility and resiliency of the U.S. 
economy lies in the underlying institutions that 
promote efficiency in capital and labor markets. 
These institutions allow both capital and labor 
to reallocate to their highest valued uses.” 

A good example of such an institution is the 
U.S. regulatory framework that facilitates the 
transfer of personal credit history data for per- 
missible purposes. Portable credit “reputations” 
give consumers greater mobility, and make us 
more open to change. From a labor market 
perspective, the credit reporting system under 
FCRA has increased our mobility as a society, 
so that structural shifts within the economy 
can cause temporary disruptions but without 
crippling long-term effects. There is less risk 
associated with severing old relationships and 
starting new ones, because objective informa- 
tion is available that helps us to establish and 
build trust in new locations more quickly. 

In contrast, more restrictive, and inconsis- 
tent, credit reporting laws in Europe prevent 
European consumers from taking full advan- 
tage of their complete credit histories. The fact 
that credit information is not mobile restricts 
the mobility of consumers, because of the result- 
ing difficulty of obtaining credit from new insti- 
tutions. As a result, economist Walter 
Kitchenman writes that consumer lending in 
Europe “where it exists, is concentrated among 


a few major banks in each country, each of 
which has its own large databases .” 55 In fact, 
European consumers, although they outnumber 
their U.S. counterparts, have access to one-third 
less credit as a percentage of Gross Domestic 
Product. 

A developed credit reporting system makes 
capital more mobile as well. There is growing, 
cross-country empirical evidence that the 
increased efficiency of capital markets is a 
powerful determinant of growth. Improved risk 
sharing — by spreading risks over a larger pool 
of capital and a larger number of investors — 
lowers the cost of capital, and leads to greater 
investment. ' K This is why Walter Kitchenman 
has described the “almost universal reporting” 
of personal information about consumers as 
not only the “foundation” of consumer credit 
in the United States,” but also as the “secret 
ingredient of the U.S. economy’s resilience .” 57 

Investment in financing small business 
startups is a prime example. Small business 
formation in the United States has benefited 
directly over the past decade from the underly- 
ing credit reporting system. According to the 
National Federation of Independent Businesses, 


'■* For example, see Christopher Gust and Jaime Marquez, 
“International Comparisons of Productivity Growth: The 
Role of Information Technology and Regulatory Practices,” 
International Finance Discussion Papers, No. 727, Board of 
Governors of the Federal Reserve System, May 2002. 

“ Kitchenman, European Union Directive, supra, at 3; Geert 
Bekaert, Campbell Harvey and Christian Lundlbad, “Does 
Financial Liberalization Spur Growth?” National Bureau of 
Economic Research Working Paper No. 8245, Apr. 2001. 

Geert Bekaert, Campbell Harvey and Christian Lundlbad, 
“Does Financial Liberalization Spur Growth?” National 
Bureau of Economic Research Working Paper No. 8245, 
National Bureau of Economic Research, Apr. 2001. 

Walter F. Kitchenman, U.S. Credit. Reporting: Perceived 
Benefits Outweigh Privacy Concerns (The Tower Group 
1999). 
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seven out of ten small-business owners start 
their businesses with less than $20,000. 5S By 
the early 1990s, credit analysts had determined 
that personal credit reports for small business 
owners and partners were highly predictive of 
the success of the business. Commercial score- 
cards for evaluating small business loans were 
introduced to the market in 1995. Since then, 
research has shown that small business credit 
scoring is associated with “a net increase in 
lending to relatively risky marginal borrowers, 
that would otherwise not receive credit.” 59 Other 
research has shown that, much like the case in 
consumer credit markets, small businesses are 
increasingly dealing with banks and other 
lenders located far away. The authors conclude 
that “greater, and more timely, availability of 
borrower credit records, as well as the greater 
ease of processing these may explain the 
increased lending at a distance. Consistent with 
such an explanation, distant firms no longer 
have to be observably the highest quality 
credits, suggesting that a wider cross-section of 
firms can now obtain funding from a particular 
lender.”* 0 These findings have great significance 
for economic growth in the United States. 

Small businesses represent over 99 percent of 
all employers in the United States, create 80 
percent of all new jobs, and account for about 
38 percent of Gross Domestic Product.* 1 
As we have seen, credit reporting allows 
lenders to cut through the “fog of uncertainty” 
to better evaluate potential borrowers. The 
transparency of risk in single loans enables 
creditors to document that risk, and subse- 
quently pool loans of similar risk and sell them 
to investors. This ability to securitize and resell 
consumer and mortgage loans in secondary 
markets brings huge amounts of loanable funds 
into consumer credit and mortgage markets, 


making credit cheaper and more readily 
available. 

The enormous growth and new entry into 
the U.S. credit card market was fueled in part 
by the influx of loanable funds during the 1990s 
made possible through securitization. At the 
end of 1990, there were $1 billion of securitized 
credit card balances in the United States, less 
than 1 percent of all outstanding card balances. 
By the end of 1996, securitized card balances 
totaled $178 billion, about 45 percent of total 
outstanding card balances. As of the end of 
2002, securitized receivables comprised nearly 
56 percent of over $700 billion in revolving 
credit outstanding. According to Richard C. 
Drason, associate director at ratings agency 
Fitch IBCA, securitization “played a major role 
for smaller players, for players just getting into 
the business, and for regional players trying to 
grow nationally. It gave them access to cheaper 
funds that they might not have been able to 
obtain.”"- Securitization has been especially 
helpful to non-depository credit card companies 
that did not have access to consumer deposits 
to use to make card loans. The transparency of 
risk in the accounts that underpin credit card- 
backed securities gives even distant investors 


'■* National Federation of Independent Business 
<www.nfib.com>. 

J ’ Allen N. Berger. W. Scott Frame and Nathan II. Miller, 
"Credit Scoring and the Availability, Price and Risk of Small 
Business Credit," Federal Reserve Board Working Paper. 
April 2002. 

6 " Mitchell A. Petersen and Raghuram G. Rajan, "Does 
Distance Still Matter? The Information Revolution in Small 
Business Lending." National Bureau of Economic Research 
Working Paper 7685. May 2000. 

“ National Federation of Independent Business 
<www.nfib.com>. 

6; ' Linda Punch, “The Legacy of Card Bonds,” Credit Cord 
Management 10th Anniversary Issue., May 1998, pp 36-38. 
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such confidence that MBNA’s chief financial 
officer remarked “Our (card-backed) securities 
are well-received in all comers of the globe, 
from England to the Far East to Australia. 
Many times the deals are oversubscribed .” 63 

Again, the European Union provides a 
contrast. Cross-border competition has 
benefited the corporate lending market over 
the past decade, but consumer loan markets 
remain fragmented. Conversion to a common 
currency within the European Union has not 
been enough to remove persistent cross-border 
differences in consumer loan interest rates. 
Adjustments to changing market interest rates 
conditions are faster in some countries but lag 
far behind in other countries. Economists have 
concluded that to lower the cost of consumer 
loans it will be necessary to encourage 
cross-border penetration by retail lenders to 
bring loan rates into closer alignment across 
countries. 6 * Of course, as was noted above, one 
of the impediments to cross-border consumer 
lending to some countries is the lack of 
information about borrowers, a direct result 
of lack of harmonization of credit reporting 
rules across EU countries. 


Public Safety and Security 

Credit reports have long played an important 
role in protecting public safety. For example, 
one of the “permissible purposes” for which the 
FCRA permits credit reports to be used is to 
screen applicants for employment. Because 
credit reports include public record data, past 
addresses, and prior names, they have proved a 
useful and convenient way to check for past 
criminal convictions when employing school bus 


drivers, child care workers, security guards, and 
people to fill other sensitive positions. 

Credit reports are an important tool in 
preventing financial fraud, because they pro- 
vide a comprehensive picture of an individual’s 
financial dealings. They are also becoming an 
increasingly potent weapon in the fight against 
identity theft, because they provide a reliable 
source of dynamic information that can be used 
to identify applicants for credit and other 
financial services. Rather than rely on an 
easily forged document like a driver's license or 
static information like mother’s maiden name, 
businesses can verify the identity of customers 
or employees against an array of often- 
changing data points, such as outstanding 
mortgage balance or open credit lines. 

The federal government has recognized the 
unique resource that credit reports provide for 
identity verification and has begun exploring 
using them as an efficient, cost-effective tool for 
identifying passengers boarding airplanes, 
visitors entering government buildings, and in 
other settings where positive identification is 
necessary to protect public safety. Moreover, the 
Transportation Security Administration is 
exploring an expanded use of credit reports to 
identify potential terrorists and security threats 
by analyzing credit report data. To be certain, 
credit reports are only one of many tools for 
responding to terrorist threats, and some of 
these proposed uses pose important policy and 


w Id., P 38. 

“ Friedrich Heinemann and Martin Schuler, “Integration 
Benefits on EU Retail Credit Markets-Evidence from 
Interest Rate Pass-through,” manuscript, Zentrum fur 
Europaische Wirtschanftsforschung. Mannheim, Germany, 
Nov. 2001, available at www.ecri.be; KJeimer and Sander, 
“Consumer Credit Rates in the Eurozone: Evidence on the 
Emergence of a Single Retail Banking Market,” European 
Credit Research Institute Research Report No. 2, Jan. 2002. 
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legal issues, but these proposals highlight the 
importance to individual safety and public 
security of accessible credit reports as sources 
of comprehensive, nation wide, accurate, and 
up-to-date information. 


Reduced Costs 

In the United States, comprehensive credit 
reports have improved the competitiveness and 
efficiency of credit markets, led to powerful 
improvements in risk-management technology 
(like credit scoring), and brought consumers 
more product choices, lower prices and more 
equitable treatment. To the extent credit 
reports enable lenders to do a better job of 
assessing and pricing borrower risk, they rein- 
force borrower incentives to manage credit 
wisely and avoid delinquencies and defaults. 

All of this ultimately lowers the cost of credit 
to consumers. 

Reliable, centralized, and standardized con- 
sumer credit information also makes it possible 
to pool consumer loans and then sell them to 
investors. Securitization, as already noted, 
makes more capital available to consumers and 
greatly reduces the cost of credit. A Tower 
Group consulting study concluded that U.S. 
mortgage rates are two full percentage points 
lower than in Europe because it is possible to 
securitize and sell mortgage loans/” 
Consequently, American consumers save as 
much as $120 billion a year on nearly $6 
trillion of outstanding mortgages because of the 
efficiency and liquidity that credit report data 
make possible.™ 

Robust credit reporting contributes to 
saving consumers money in other ways as well. 


For example, by making refinancing easy and 
fast, credit reports allowed eleven million U.S. 
homeowners to refinance their home mortgages 
to take advantage of lower interest rates during 
just a 15-month period in 2001 and early 2002. 
Doing so allowed them to collectively save an 
estimated $3.2 billion annually in mortgage 
payments/ 7 U.S. lenders are also increasingly 
taking advantage of accessible credit reports to 
allow consumers to refinance auto loans. We 
have also already seen how improved risk 
sharing — by spreading risks over a larger pool 
of capital and a larger number of investors — 
lowers the cost of capital, thereby making credit 
available to consumers more affordably. 


Summary 

The U.S. credit reporting system has benefited 
all consumers by facilitating access to more 
credit and financial services, especially for 
traditionally underserved populations. It has 
improved the accuracy of financial decision- 
making, generating substantial benefits for 
individual consumers as well as the entire 
economy. Ubiquitous credit information has 
significantly enhanced competition and lowered 
prices by making it possible for existing 
financial institutions to compete for customers 


® Kitchenman. U.S. Credit Reporting. 

“ If mortgage interest rates are 2 percent lower as a result of 
securitization. 2 percent of $6 trillion in outstanding mort- 
gages equals a $120 billion savings in interest each year. 

Glenn Canner, Karen Dynan and Wayne Passmore, 
“Mortgage Refinancing in 2001 and Early 2002,” Federal 
Reserve Bulletin, Dec. 2002, pp 469-481. 
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nationally, by enabling businesses other than 
financial institutions to begin offering 
competitive products and services, and by 
leveling the playing field so that new entrants 
could overcome the advantage of established 
lenders in assessing new customers. The credit 
reporting system has significantly reduced costs 
for mortgages, credit card, and other financial 
services, saving U.S. consumers hundreds of 
billions of dollars each year. Accessible credit 
information has dramatically improved 
consumer convenience, making possible the 
“miracle” of instant credit; consumers can even 
apply for a mortgage or auto loan by phone or 
via the Internet and get a decision within 
seconds. The U.S. system of credit reporting 
greatly enhances consumer mobility and choice, 
as well as public safety and security. 


The Threat of 
New Restrictions 
on Credit Reporting 

Proposals to abandon uniform national 
standards by eliminating federal preemption 
for the eight core areas currently protected 
under FCRA threaten the diverse array of 
benefits that flow from the current credit 
reporting system under the FCRA. While most 
aspects of credit reporting are vulnerable to the 
high costs of state or local regulation, some are 
especially at risk. This explains why Congress 
first preempted state-level regulation in these 
areas in 1996. There are many examples, but 
the following three illustrate the risk. 


Voluntary Reporting 

Because no one is required to provide 
information to credit bureaus, if furnishers of 
information faced significant compliance 
burdens or liability, as would be the case if 
complying with separate and even inconsistent 
state laws, they would be more likely to stop 
contributing the information. Recognizing the 
special vulnerability of the entire credit 
reporting system, in 1996 Congress excluded 
the states from regulating the responsibilities 
of furnishers of credit information. 

Voluntary reporting has already proved 
fragile as some financial institutions have 
reportedly withheld information about their 
best customers out of concern that it might be 
used by competitors to try to attract those 
customers. Some credit grantors, for example, 
choose to report derogatory information only 
(e.g., delinquencies, charge-offs), but not 
accounts in good standing. Some choose not to 
report at all. The industry and regulators have 
long fought this practice, because even the 
absence of a small amount of relevant 
information from credit reports could dramati- 
cally reduce their usefulness and lead to less 
accurate credit decisions and less access to 
credit for people who need it most.** 

Imposing liability for errors or significant 
additional burdens on the furnishers of 
consumer data to credit bureaus would 
encourage some (perhaps many) firms to 
curtail or cease reporting. In particular, liability 
for errors could discourage the reporting of 
negative events regarding a consumer’s account 

“It's Essential That Lenders Report Credit Data,” The 
Commercial Appeal (Memphis, TN), Jan. 23, 2000, p C2. 
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(e.g., delinquency). They would no longer 
enhance the quality and depth of the bureau 
information by contributing their portfolio 
experience. The predictive accuracy of scoring 
models would quickly deteriorate if non- 
participation became commonplace. Increased 
or disparate standards of furnisher liability 
would be inconsistent with current regulatory 
initiatives to encourage robust reporting, and 
could easily undermine the value of credit 
reporting. 


Obsolescence Determinations 

The 1996 amendments also precluded states 
from regulating when adverse data would be 
considered “obsolete” and therefore could not 
be included in credit reports. Currently, 
information on delinquencies, accounts placed 
with collection agencies, tax liens and similar 
events must be excluded from credit reports 
after seven years (with the exception of a notice 
of bankruptcy, which may remain for ten years). 
Proponents of accelerated deletion argue that 
the old information is “stale” and therefore 
may no longer be relevant to determining an 
individual’s creditworthiness. 

The available evidence, however, suggests 
that these arguments are wrong. Derogatory 
information continues to distinguish levels of 
credit risk “even as the information ages.” 6 '-' 

The results of one 1990 study are particularly 
interesting. The study found that “significantly 
more people who declare bankruptcy have older 
public record derogatory information but none 
in recent years, than do all people. As a result, 
if creditors are not allowed to know of public 
record derogatory information that is four years 


old or older, they may lose an important 
predictor of future bankruptcy.” 78 

Since storage of old information entails pos- 
itive costs, simple economics suggests that 
bureaus will retain data only so long as its 
value (enhanced prediction of risk) exceeds the 
storage cost. If creditors find old derogatory 
information is useful, then they will pay more 
for files that have it (or purchase reports more 
frequently). Laws that prohibit the use of such 
information degrade the reporting system’s 
value for predicting risk. 


Opt-ln Consent 

The 1996 amendments to the FCRA 
explicitly authorized the sharing of personally 
identifiable information among affiliated 
companies and with anyone for the purpose of 
marketing credit or insurance opportunities to 
consumers, provided that consumers are given 
an opportunity to opt out of that sharing. 71 
Congress thought these activities too 
important to subject them to divergent state 
regulation. Some privacy advocates propose 
allowing states to alter the balance struck in 
1996 by shifting to an opt-in regime for using 
credit report data to market credit products to 
their residents. Some of these opt-in proposals 
would require companies to obtain explicit 


m Fair, Isaac Companies, The Associated Credit Bureaus, Inc. 
Study on Adverse Information Obsolescence Phase 1, Sep. 
1990, p 3. 

Fran Lyons and Lee Allen, “Importance of Aged Public 
Record Derogatory Information," Dialogue, MDS Group, Fall 
1990, p 6. 

” 15 U.S.C. §§ 1681a(dX2XAXiii), 1681b(cX5). 
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consumer consent prior to using personally 
identifiable information for prescreening or 
before sharing such information among 
affiliates. 

An opt-in system for giving consumers 
choice over information usage is always 
more expensive than opt-out because it 
requires each company that wishes to use 
personal information to target its marketing 
efforts and gain explicit consent from each 
consumer prior to making any offers. In 
contrast, opt-out is less costly because it 
infers permission if consumers don’t 
explicitly object. Based on the studies and 
company experience-to-date, it appears that 
conditioning the use of information on opt-in 
consent is tantamount to banning the use 
outright.™ 

This makes an opt-in system for permissi- 
ble use an especially great impediment to 
new and smaller credit market entrants, 
who lack extensive customer lists of their 
own or the resources to engage in mass 
marketing to reach consumers likely to 
be interested in their products or services. 

If information for targeting offers is 
unavailable because the cost of soliciting 
opt-in consent is too great or because too few 
customers have received and responded to 
opt-in requests, new competitors may be 
unable to market their products and services 
at all. A proliferation of opt-in requirements 
across multiple states would balkanize credit 
marketing. Credit availability would be 
uneven across the country, but independent 
of either the creditworthiness of borrowers or 
underlying economic conditions. Such a trend 
would erode the consumer benefits from 
national competition that were highlighted in 
the previous sections. 


National Credit 
Reporting 

Credit reporting in the United States today is 
inherently national. The value of the entire 
system depends upon data being collected 
about borrowers who travel and use credit 
nationwide, and collected from creditors who 
are located throughout the country and deal 
with customers nationwide. This is why credit 
bureaus have undergone such consolidation and 
integration during the past half-century. 

Indeed, credit reporting has contributed to 
consumer mobility by breaking down entry 
barriers and opening up markets to national 
and global competition. 

Virtually all of the benefits to individuals 
and the economy from the current U.S. report- 
ing system result from its national character. 
National credit reporting has made possible 
national competition in the market for credit 
and other financial services. That competition 
depends on the ability of banks and other card 
issuers to enter distant markets and provide 
customer service across state lines. Capturing 
credit data on a state-by-state basis provides 


! -‘ For a more detailed discussion and results from case 
studies see Michael E. Staten and Fred Cate, “The Impact of 
Opt- In Privacy Rules on Retail Credit Markets: A Case 
Study of MBNA,” 52 Duke. Law Journal (forthcoming 2003). 

" A simple example illustrates the point. Not a single one of 
the ten largest bank card issuers is located in Texas, the 
second-most populous state in the U.S. Those top ten issuers 
held 83 percent of all bank card receivables at the end of 
2001. Consequently, it is quite likely that 80 percent or more 
of Texans with bank cards are borrowing from and making 
payments to one or more out-of-state financial institutions. 
This is the rule rather than the exception, and reflects the 
national character of U.S. credit markets. Card Industry 
Directory, 2003 Edition, Thomson Media, New York, 2002, p 17. 
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little value because the vast majority of con- 
sumers deal with creditors from out of state. 73 

Consumers in the U.S. are remarkably 
mobile, thanks in part to the ubiquitous 
availability of credit reports. Forty-two million 
Americans — approximately 16 percent of the 
U.S. population — move each year. As of 1998, 
there were 6 million vacation or second homes 
in the United States, often in states different 
than the owners’ primary homes. 74 A growing 
number of consumers live in one state and 
work in another. This is especially true in major 
urban centers, such as New York, New Jersey, 
and Connecticut, or Virginia, Maryland, and the 
District of Columbia, where population is most 
concentrated. 

Compartmentalizing credit histories state- 
by-state would ill serve consumers as they 
move, commute, and travel across state lines. It 
would leave holes (potentially large ones) in a 
consumer’s credit file. Moreover, even if it did 
not in the case of a particular borrower, the fact 
that it could would greatly reduce the reliabili- 
ty of credit reports. How is a lender to know 
whether the picture of the consumer that the 
report presents is complete or not? 

The cost of determining which state law or 
laws applied, and of complying with those laws, 
could easily undermine the credit reporting 
system. That system deals in huge volumes of 
data — over 2 billion trade line updates, 2 
million public record items, an average of 1.2 
million household address changes a month, 
and over 200 million individual credit files. Its 
viability depends on achieving exceptional 
efficiency in matching and processing updates 
so that files can be maintained at low marginal 
cost. In turn, this keeps the cost of providing 
credit reports low. In the face of greater central- 
ization and unification of markets, and the 


increased mobility of both consumers and the 
goods that they desire, crafting, implementing, 
complying with, and enforcing 51 separate laws 
governing credit reporting will always be more 
expensive than is the case with a single law. 73 
If state and local laws are inconsistent, 
compliance costs are greatly exacerbated. 

Worse still, it may be impossible for a busi- 
ness to comply with the conflicting provisions of 
state credit reporting laws in all of the states in 
which it operates. This is especially true online. 
The Internet crosses state boundaries and has 
facilitated truly national (in many cases, global) 
markets. Yet the technologies of the Internet 
make it impossible to identify automatically in 
which state users are located. Even offline, 
however, businesses face a significant compli- 
ance challenge when faced with inconsistent 
state requirements. 75 

Historically, privacy advocates have argued 


'* Use and Misuse of Social Security Numbers, Hearings 
before the Subcomm. on Social Security of the House Comm, 
on Ways and Means, May 1.1, 2000 (statement of Stuart K. 
PrattV 

•' That number could go far higher: already Daly City, Contra 
Costa County. San Mateo County, and San Francisco have 
adopted their own ordinances regulating the sharing of 
financial information with affiliates and third parties-four 
separate laws, in addition to applicable federal and state 
laws, within one 20-mile area. Daly City Ordinance No. 1295 
(Sep. 9. 2002), as amended by Ordinance No. 1297 (Nov. 12, 
2002); Contra Costa County Ordinance No. 2002-30 (Sep. 24, 
2002). as amended by Ordinance No. 2002-44 (Nov. 5, 2002); 
San Mateo County Ordinance No. 4126 (Aug. 6, 2002). as 
amended by Ordinance No, 4144 (Nov. 5. 2002); San 
Francisco City Ordinance No. 237-02 (Dec. 20. 2002). 

!S An ironic example comes from the recent experience of 
gourmet ice cream manufacturer Ben & Jerry’s with food 
labeling. Although a vocal opponent of genetically altered 
milk, and one of the first U.S. companies to voluntarily label 
its products as containing only milk from untreated herds, 
the company had to abandon this practice — even though it 
and its customers desired it — “because of the difficulty of 
complying with multiple state labeling requirements," Dan 
L. Burk, “The Milk Free Zone: Federal and Local Interests in 
Regulating Recombinant bST,” 22 Columbia Journal of 
Environmental Law 227, 299 (1997V 
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for the need to replace state and local laws with 
a single, uniform privacy standard. A national 
standard offers better and more consistent 
privacy protection. In regard to the privacy of 
medical records, Helena Gail Rubenstein, from 
the Massachusetts Group Insurance 
Commission, has written that “normatively, 
privacy advocates and data users agree that 
any health information system that must 
operate within the confines of fifty different 
sets of ground rules cannot operate efficiently .” 75 

The absence of preemption. Professor Larry 
Gostin has written, “is self-defeating. It simply 
pushes the privacy battle into state legislatures 
and redirects the resources of the provider and 
research communities to costly lobbying efforts 
in the fifty state capitals. What will result is a 
patchwork of rules, as each state makes its own 
peace with the various interest groups.” The 
absence of preemption, he concluded, in a world 
in which “data needs do not recognize state 
boundaries” and businesses “operate in multiple 
states,” is to “increase the cost” to everyone who 
pays for goods and services in the modern 
economy . 78 

It is not clear why credit reporting should 
be different — why consumer privacy would be 
enhanced by “a patchwork of rules,” rather than 
a uniform national law. How are consumers 
served, for example, by receiving different 
notices of their rights under the FCRA or by 
waiting different amounts of time for reinvesti- 
gations of disputed data to be completed, 
depending upon the state or county or city in 
which they are located? 

The need for a single standard in the core 
areas of credit reporting is so great that if 
Congress fails to maintain one through federal 
legislation, it will likely emerge from the states. 
When the costs and complexity of complying 


with state-by-state legislation are high, then in 
the face of multiple legal standards, the most 
restrictive tends to dictate business practices. 
By complying with the most restrictive law, a 
business hopes to comply with the less restric- 
tive ones as well. 

In the case of credit information, states that 
adopt the most restrictive laws (and that are 
too populous or important for a business to 
simply cease to operate in), will set the de facto 
privacy standard for all other states. In the 
absence of express federal preemption, the most 
restrictive state privacy regime will ultimately 
effectively preempt both the privacy laws of 
other states and the federal standard as well. 
This is the irony of the current preemption 
debate. The question isn’t whether there will be 
de facto preemption, but rather from what 
source it will come: Congress or one state legis- 
lature imposing its laws on the entire country. 

Howard Beales, head of the FTC Bureau of 
Consumer Protection, noted this point when he 
was a professor at George Washington 
University Addressing the specific subject of 
product advertising, which is similar to credit 
reporting in terms of its national reach and 
high cost of entry, Beales wrote that “[t]he high 
costs of developing advertising and the lack of 
any marketing reason to distinguish between 
consumers based on their state of residence 
mean that, as a practical matter, actions by 
individual states will determine the content of 
advertising for consumers nationwide.” As with 
credit reporting, “it is the most restrictive 


” Helena Gail Rubenstein, “If I am Only for Myself, What 
Am I? A Communitarian Look at the Privacy Stalemate,” 25 
American Journal of Law and Medicine 203 (1999). 

78 Lawrence O. Gostin, “Health Information Privacy,” 80 
Cornell Law Review 451 (1995). 
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judgment, rather than the most accurate, that 
will effectively govern,” Beales noted. “If the 
most restrictive judgment” prevails, Beales 

concluded, “consumers are the likely losers 

Indeed, it is hard to imagine a system that is 
more likely to encourage advertisers” — or credit 
bureaus, he might have added — “to avoid 
altogether the kinds of objective product infor- 
mation that are most valuable to consumers.” 79 


Conclusion 

In 1996 Congress amended the FCRA to ensure 
that individuals would have the same substan- 
tive rights regarding collection and use of their 
credit histories irrespective of the state in 
which they live. Congress also guaranteed that 
the content of credit reports would be consis- 
tent across the country and the fundamental 
unfairness to both consumers and creditors of 
relevant information being reported under one 
state’s laws but withheld under another’s would 
be avoided. The 1996 amendments guarded 
against driving furnishers of credit information 
from the voluntary reporting system by overly 
burdensome compliance requirements or the 
threat of liability from separate or even 
inconsistent state laws. They also ensured that 
affiliated companies — whether or not dealing 
with credit information— would be able to share 
information freely, pursuant to federal law, 
without having to contend with regulatory 
barriers erected by state and local governments. 

By limiting the term of preemption to seven 
years, Congress provided a specific opportunity 
for policymakers to determine how well uniform 


national reporting standards have served the 
public. The consistent, overwhelming answer to 
this question provided, based on all of the 
available evidence we have examined, is that 
the national credit reporting system operating 
under the amended FCRA has generated 
extraordinary benefits for individual consumers 
and for the nation as a whole. Proposals to alter 
the 1996 framework by allowing the states to 
intervene in the protected core areas threaten 
to erode the benefits of robust, national credit 
reporting that consumers enjoy today. 

The economic scope of that threat is 
impossible to measure in advance, because it 
depends on the type and severity of adjustments 
to the existing reporting system and because 
the benefits of the U.S. credit reporting system 
are felt so broadly and are intertwined with so 
many areas of commerce. Nevertheless, a few 
examples make it clear that the magnitude of 
the threat posed by new restrictions on credit 
reporting could easily be in the hundreds of 
billions of dollars annually. 

For example, recall that a Tower Group 
consulting study calculated that U.S. mortgage 
rates are two full percentage points lower than 
in Europe because standardized credit inforiha- 
tion facilitate the sale and securitization of 
mortgage loans.* 0 That amounts to a $120 
billion savings every year on nearly $6 trillion 
of outstanding mortgages outstanding at the 
end of 2002. New regulations that would raise 
the cost and consequently inhibit voluntary 
reporting by creditors would move the U.S. 

* J. Howard Beales, III, “What State Regulators Should 
Learn From FTC Experience in Regulating Advertising," 
Journal of Public Policy <6 Marketing , Vol. 10, No. 1. Spr. 
1991, p 101. 

* Kitchenman, US. Credit Reporting. 
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system closer to the restricted files common in 
many EU countries, impairing the portfolio 
risk assessment that is at the heart of 
securitization. This would lead to higher costs 
for investors, a reduced supply of loanable 
funds available in the mortgage markets, and 
higher mortgage interest rates. 

We have also discussed how less compre- 
hensive credit reports would raise the cost of 
entry into new markets by all lenders. Recall 
that competitive pressures in the credit card 
market in the late 1980s and early 1990s led to 
a dramatic decline in credit card interest rates. 
Less competition for new customers would 
begin to ease the downward pressure on credit 
card pricing. With over $700 billion in revolving 
credit outstanding in the U.S. at the end of 
2002, every percentage point rise in average 
credit card interest rates would cost consumers 
an additional $7 billion annually. Extending 
this example, since comprehensive credit 
reports and prescreening enhance competition 
across all types of consumer credit, every 
percentage point rise in average consumer loan 
rates would cost consumers $17 billion in 
additional finance charges annually. 81 

The econom ic impact of declining access to 
credit is difficult to estimate. Certainly, some 
portion of the 516,000 homes that Americans 
purchased every month during 2001 would not 
have been sold had mortgage credit been more 
expensive and the underwriting standards for 
loan acceptance been higher. The same is true 
for some fraction of the 1.4 million cars, SUVs, 
and light trucks purchased in the average 
month, the majority of which were financed 
with loans or leases. Clearly, a reduction in 
consumer spending on housing and durable 
goods resulting from tighter credit markets 
would impose a drag on U.S. economic activity. 


All quantitative estimates of the costs of 
moving to a less comprehensive reporting 
system are necessarily speculative because they 
anticipate changes to the U.S. credit reporting 
system that we have fortunately never endured. 
Regardless of the magnitude of such dollar cost 
estimates, the threat of unraveling the gains to 
individual consumers should give policymakers 
the greatest pause. Compared to most other 
developed countries, the U.S. national credit 
reporting system has helped make it possible for 
a higher proportion of Americans to live in their 
own homes, drive their own cars, and afford 
college educations. It has greatly increased the 
number of Americans who now qualify for credit, 
insurance, and other financial services, and 
increased the confidence of providers in meeting 
the needs of previously underserved populations. 
The credit reporting system, undergirded by the 
FCRA, has helped to break down geographic and 
economic barriers, so that virtually all 
Americans can choose from services provided by 
competing businesses without regard for loca- 
tion. Credit reporting has had a literally trans- 
forming effect on the lives of less well-off individ- 
uals, young adults, and those located in small 
towns and rural areas. “Democratization” 
describes a broad and beneficial social effect, but 
the greatest measure of the impact of robust, 
national credit reporting is measured in the 
millions of individual lives improved. 

In sum, it appears that all of the available 
evidence — economic and otherwise — suggests that 
the national reporting system that has evolved 
under FCRA has helped make the United States 
the world leader in the development of competi- 
tive consumer and mortgage credit markets. 

*' Based on $1.72 trillion in outstanding (non-mortgage) 
consumer credit, as was the case at the end of 2002. 
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